Edit tour

Windows Analysis Report
67qCH13C8n.exe

Overview

General Information

Sample name:	67qCH13C8n.exe renamed because original name is a hash value
Original sample name:	ed897c0a85eebe514a44a8edbf898b7cbeac36b0df22a145addcace14c3b742a.exe
Analysis ID:	1588804
MD5:	f305accb1225d9894d92c5204f5dfb1d
SHA1:	5faab4c869f46579a260b109d62ace16916cc3a0
SHA256:	ed897c0a85eebe514a44a8edbf898b7cbeac36b0df22a145addcace14c3b742a
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

67qCH13C8n.exe (PID: 5484 cmdline: "C:\Users\user\Desktop\67qCH13C8n.exe" MD5: F305ACCB1225D9894D92C5204F5DFB1D)

svchost.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\67qCH13C8n.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\67qCH13C8n.exe", CommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", ParentImage: C:\Users\user\Desktop\67qCH13C8n.exe, ParentProcessId: 5484, ParentProcessName: 67qCH13C8n.exe, ProcessCommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", ProcessId: 6096, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\67qCH13C8n.exe", CommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", ParentImage: C:\Users\user\Desktop\67qCH13C8n.exe, ParentProcessId: 5484, ParentProcessName: 67qCH13C8n.exe, ProcessCommandLine: "C:\Users\user\Desktop\67qCH13C8n.exe", ProcessId: 6096, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 67qCH13C8n.exe	Virustotal: Detection: 70%			Perma Link
Source: 67qCH13C8n.exe	ReversingLabs: Detection: 71%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 67qCH13C8n.exe

Joe Sandbox ML: detected

Source: 67qCH13C8n.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 67qCH13C8n.exe, 00000000.00000003.2152884616.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, 67qCH13C8n.exe, 00000000.00000003.2152066158.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2201301371.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203392077.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 67qCH13C8n.exe, 00000000.00000003.2152884616.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, 67qCH13C8n.exe, 00000000.00000003.2152066158.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2201301371.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203392077.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CF4696
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00CFC9C7
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFC93C FindFirstFileW,FindClose,	0_2_00CFC93C
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CFF200
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CFF35D
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CFF65E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CF3A2B
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CF3D4E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CFBF27

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D025E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00D025E2

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D0425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00D0425A

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D04458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00D04458

Source: C:\Users\user\Desktop\67qCH13C8n.exe

0_2_00D0425A

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CF0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00CF0219

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D1CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D1CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00C93B4C
Source: 67qCH13C8n.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 67qCH13C8n.exe, 00000000.00000000.2143422997.0000000000D45000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_00ac1d7b-b
Source: 67qCH13C8n.exe, 00000000.00000000.2143422997.0000000000D45000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_138a2360-f
Source: 67qCH13C8n.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_15ae8629-1
Source: 67qCH13C8n.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f496a29b-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C613 NtClose,	2_2_0042C613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A903 NtAllocateVirtualMemory,	2_2_0040A903
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B60 NtClose,LdrInitializeThunk,	2_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,	2_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974340 NtSetContextThread,	2_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03974650 NtSuspendThread,	2_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972B80 NtQueryInformationFile,	2_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BA0 NtEnumerateValueKey,	2_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BF0 NtAllocateVirtualMemory,	2_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972BE0 NtQueryValueKey,	2_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AB0 NtWaitForSingleObject,	2_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AD0 NtReadFile,	2_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972AF0 NtWriteFile,	2_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F90 NtProtectVirtualMemory,	2_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FB0 NtResumeThread,	2_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FA0 NtQuerySection,	2_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972FE0 NtCreateFile,	2_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F30 NtCreateSection,	2_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972F60 NtCreateProcessEx,	2_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E80 NtReadVirtualMemory,	2_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EA0 NtAdjustPrivilegesToken,	2_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972EE0 NtQueueApcThread,	2_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972E30 NtWriteVirtualMemory,	2_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DB0 NtEnumerateKey,	2_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972DD0 NtDelayExecution,	2_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D10 NtMapViewOfSection,	2_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D00 NtSetInformationFile,	2_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972D30 NtUnmapViewOfSection,	2_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CA0 NtQueryInformationToken,	2_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CC0 NtQueryVirtualMemory,	2_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972CF0 NtOpenProcess,	2_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C00 NtQueryInformationProcess,	2_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C70 NtFreeVirtualMemory,	2_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972C60 NtCreateKey,	2_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973090 NtSetValueKey,	2_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973010 NtOpenDirectoryObject,	2_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039739B0 NtGetContextThread,	2_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D10 NtOpenProcessToken,	2_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03973D70 NtOpenThread,	2_2_03973D70

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CF40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00CF40B1

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CE8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CE8858

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CF545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CF545F

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBDBB5	0_2_00CBDBB5
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D1804A	0_2_00D1804A
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00C9E060	0_2_00C9E060
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA4140	0_2_00CA4140
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB2405	0_2_00CB2405
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC6522	0_2_00CC6522
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC267E	0_2_00CC267E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D10665	0_2_00D10665
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA6843	0_2_00CA6843
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00C9E800	0_2_00C9E800
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB283A	0_2_00CB283A
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC89DF	0_2_00CC89DF
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D10AE2	0_2_00D10AE2
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC6A94	0_2_00CC6A94
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA8A0E	0_2_00CA8A0E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CEEB07	0_2_00CEEB07
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF8B13	0_2_00CF8B13
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBCD61	0_2_00CBCD61
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC7006	0_2_00CC7006
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA3190	0_2_00CA3190
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA710E	0_2_00CA710E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00C91287	0_2_00C91287
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB33C7	0_2_00CB33C7
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBF419	0_2_00CBF419
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB16C4	0_2_00CB16C4
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA5680	0_2_00CA5680
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA58C0	0_2_00CA58C0
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB78D3	0_2_00CB78D3
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB1BB8	0_2_00CB1BB8
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CC9D05	0_2_00CC9D05
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00C9FE40	0_2_00C9FE40
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB1FD0	0_2_00CB1FD0
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBBFE6	0_2_00CBBFE6
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_01690E30	0_2_01690E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410093	2_2_00410093
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E10B	2_2_0040E10B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E113	2_2_0040E113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402250	2_2_00402250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023F0	2_2_004023F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EC23	2_2_0042EC23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE6A	2_2_0040FE6A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402670	2_2_00402670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE73	2_2_0040FE73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167DE	2_2_004167DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167E3	2_2_004167E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A003E6	2_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C02C0	2_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A001AA	2_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F41A2	2_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F81CC	2_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930100	2_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964750	2_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C6E0	2_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A00591	2_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EE4F6	2_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4420	2_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F2446	2_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F6BD7	2_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0A9A6	2_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039268B8	2_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E8F0	2_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394A840	2_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03942840	2_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BEFA0	2_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932FC8	2_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394CFE0	2_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960F30	2_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E2F30	2_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03982F28	2_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4F40	2_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952E90	2_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FCE93	2_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEEDB	2_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393AE0D	2_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FEE26	2_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940E59	2_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03958DBF	2_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DCD1F	2_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394AD00	2_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0CB5	2_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930CF2	2_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940C00	2_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0398739A	2_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F132D	2_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392D34C	2_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039452A0	2_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B2C0	2_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E12ED	2_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394B1B0	2_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0B16B	2_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392F172	2_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397516C	2_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EF0CC	2_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039470C0	2_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F70E9	2_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF0E0	2_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF7B0	2_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F16CC	2_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985630	2_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DD5B0	2_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A095C3	2_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7571	2_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FF43F	2_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03931460	2_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FB80	2_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B5BF0	2_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397DBF9	2_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFB76	2_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DDAAC	2_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03985AA0	2_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E1AA3	2_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EDAC6	2_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFA49	2_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7A46	2_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B3A6C	2_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D5910	2_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949950	2_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395B950	2_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039438E0	2_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AD800	2_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03941F92	2_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFFB1	2_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD2	2_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03903FD5	2_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFF09	2_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03949EB0	2_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395FDC0	2_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F1D5A	2_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03943D40	2_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F7D73	2_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FFCF2	2_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B9C32	2_2_039B9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: String function: 00CB0D27 appears 70 times
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: String function: 00CB8B40 appears 42 times
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: String function: 00C97F41 appears 35 times

Source: 67qCH13C8n.exe, 00000000.00000003.2152182926.000000000421D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 67qCH13C8n.exe
Source: 67qCH13C8n.exe, 00000000.00000003.2153139930.00000000040C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 67qCH13C8n.exe
Source: 67qCH13C8n.exe, 00000000.00000003.2154561234.00000000040C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 67qCH13C8n.exe

Source: 67qCH13C8n.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CFA2D5 GetLastError,FormatMessageW,

0_2_00CFA2D5

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CE8713 AdjustTokenPrivileges,CloseHandle,		0_2_00CE8713
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CE8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CE8CC3

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CFB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CFB59E

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D0F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00D0F121

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D086D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00D086D0

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C94FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C94FE9

Source: C:\Users\user\Desktop\67qCH13C8n.exe

File created: C:\Users\user\AppData\Local\Temp\autABC4.tmp

Jump to behavior

Source: 67qCH13C8n.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 67qCH13C8n.exe	Virustotal: Detection: 70%
Source: 67qCH13C8n.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\67qCH13C8n.exe "C:\Users\user\Desktop\67qCH13C8n.exe"
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\67qCH13C8n.exe"
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\67qCH13C8n.exe"	Jump to behavior

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: 67qCH13C8n.exe

Static file information: File size 1205760 > 1048576

Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 67qCH13C8n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 67qCH13C8n.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 67qCH13C8n.exe, 00000000.00000003.2152884616.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, 67qCH13C8n.exe, 00000000.00000003.2152066158.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2201301371.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203392077.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 67qCH13C8n.exe, 00000000.00000003.2152884616.00000000040F0000.00000004.00001000.00020000.00000000.sdmp, 67qCH13C8n.exe, 00000000.00000003.2152066158.0000000003F50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2201301371.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203392077.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2237778707.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp

Source: 67qCH13C8n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 67qCH13C8n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 67qCH13C8n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 67qCH13C8n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 67qCH13C8n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D0C304 LoadLibraryA,GetProcAddress,

0_2_00D0C304

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CB8B85 push ecx; ret	0_2_00CB8B98
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CA553F push ebx; retf 0000h	0_2_00CA554A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E80C push edx; iretw	2_2_0041E831
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D0FD push edx; retf	2_2_0040D121
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E898 push edx; iretw	2_2_0041E831
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411953 push FFFFFFCFh; iretd	2_2_00411974
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031A0 push eax; ret	2_2_004031A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040C32C push eax; iretd	2_2_0040C32E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413B33 push ebp; retf	2_2_00413B4E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D3EA push ebp; ret	2_2_0040D3EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413BF6 push cs; iretd	2_2_00413BF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401DE2 push eax; retf	2_2_00401DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A6D5 push eax; retf	2_2_0041A6DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404EBD push edi; ret	2_2_00404EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404F00 push edi; ret	2_2_00404EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D7EB push es; iretd	2_2_0040D7F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390225F pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039027FA pushad ; ret	2_2_039027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx	2_2_039309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390283D push eax; iretd	2_2_03902858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03901368 push eax; iretd	2_2_03901369

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00C94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C94A35
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D155FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00D155FD

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CB33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CB33C7

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\67qCH13C8n.exe

API/Special instruction interceptor: Address: 1690A54

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00416628 rdtsc

2_2_00416628

Source: C:\Users\user\Desktop\67qCH13C8n.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 5096

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CF4696
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00CFC9C7
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFC93C FindFirstFileW,FindClose,	0_2_00CFC93C
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CFF200
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CFF35D
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CFF65E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CF3A2B
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CF3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CF3D4E
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CFBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00CFBF27

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C94AFE

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00416628 rdtsc

2_2_00416628

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417733 LdrLoadDll,

2_2_00417733

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D041FD BlockInput,

0_2_00D041FD

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C93B4C

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CC5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00CC5CCC

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00D0C304 LoadLibraryA,GetProcAddress,

0_2_00D0C304

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_0168F660 mov eax, dword ptr fs:[00000030h]	0_2_0168F660
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_01690D20 mov eax, dword ptr fs:[00000030h]	0_2_01690D20
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_01690CC0 mov eax, dword ptr fs:[00000030h]	0_2_01690CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928397 mov eax, dword ptr fs:[00000030h]	2_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E388 mov eax, dword ptr fs:[00000030h]	2_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395438F mov eax, dword ptr fs:[00000030h]	2_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE3DB mov eax, dword ptr fs:[00000030h]	2_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D43D4 mov eax, dword ptr fs:[00000030h]	2_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC3CD mov eax, dword ptr fs:[00000030h]	2_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039383C0 mov eax, dword ptr fs:[00000030h]	2_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B63C0 mov eax, dword ptr fs:[00000030h]	2_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039663FF mov eax, dword ptr fs:[00000030h]	2_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039403E9 mov eax, dword ptr fs:[00000030h]	2_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C310 mov ecx, dword ptr fs:[00000030h]	2_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov ecx, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A08324 mov eax, dword ptr fs:[00000030h]	2_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950310 mov ecx, dword ptr fs:[00000030h]	2_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A30B mov eax, dword ptr fs:[00000030h]	2_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov ecx, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B035C mov eax, dword ptr fs:[00000030h]	2_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA352 mov eax, dword ptr fs:[00000030h]	2_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8350 mov ecx, dword ptr fs:[00000030h]	2_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B2349 mov eax, dword ptr fs:[00000030h]	2_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D437C mov eax, dword ptr fs:[00000030h]	2_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0634F mov eax, dword ptr fs:[00000030h]	2_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E284 mov eax, dword ptr fs:[00000030h]	2_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0283 mov eax, dword ptr fs:[00000030h]	2_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C62A0 mov eax, dword ptr fs:[00000030h]	2_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039402E1 mov eax, dword ptr fs:[00000030h]	2_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A062D6 mov eax, dword ptr fs:[00000030h]	2_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392823B mov eax, dword ptr fs:[00000030h]	2_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A250 mov eax, dword ptr fs:[00000030h]	2_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936259 mov eax, dword ptr fs:[00000030h]	2_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA250 mov eax, dword ptr fs:[00000030h]	2_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov eax, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B8243 mov ecx, dword ptr fs:[00000030h]	2_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E0274 mov eax, dword ptr fs:[00000030h]	2_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934260 mov eax, dword ptr fs:[00000030h]	2_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392826B mov eax, dword ptr fs:[00000030h]	2_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0625D mov eax, dword ptr fs:[00000030h]	2_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B019F mov eax, dword ptr fs:[00000030h]	2_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A197 mov eax, dword ptr fs:[00000030h]	2_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03970185 mov eax, dword ptr fs:[00000030h]	2_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EC188 mov eax, dword ptr fs:[00000030h]	2_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4180 mov eax, dword ptr fs:[00000030h]	2_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A061E5 mov eax, dword ptr fs:[00000030h]	2_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F61C3 mov eax, dword ptr fs:[00000030h]	2_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039601F8 mov eax, dword ptr fs:[00000030h]	2_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov ecx, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DA118 mov eax, dword ptr fs:[00000030h]	2_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F0115 mov eax, dword ptr fs:[00000030h]	2_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov eax, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DE10E mov ecx, dword ptr fs:[00000030h]	2_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960124 mov eax, dword ptr fs:[00000030h]	2_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C156 mov eax, dword ptr fs:[00000030h]	2_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C8158 mov eax, dword ptr fs:[00000030h]	2_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04164 mov eax, dword ptr fs:[00000030h]	2_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936154 mov eax, dword ptr fs:[00000030h]	2_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov ecx, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C4144 mov eax, dword ptr fs:[00000030h]	2_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393208A mov eax, dword ptr fs:[00000030h]	2_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov eax, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039280A0 mov eax, dword ptr fs:[00000030h]	2_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C80A8 mov eax, dword ptr fs:[00000030h]	2_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B20DE mov eax, dword ptr fs:[00000030h]	2_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039720F0 mov ecx, dword ptr fs:[00000030h]	2_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039380E9 mov eax, dword ptr fs:[00000030h]	2_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B60E0 mov eax, dword ptr fs:[00000030h]	2_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E016 mov eax, dword ptr fs:[00000030h]	2_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4000 mov ecx, dword ptr fs:[00000030h]	2_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D2000 mov eax, dword ptr fs:[00000030h]	2_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6030 mov eax, dword ptr fs:[00000030h]	2_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392A020 mov eax, dword ptr fs:[00000030h]	2_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C020 mov eax, dword ptr fs:[00000030h]	2_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932050 mov eax, dword ptr fs:[00000030h]	2_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6050 mov eax, dword ptr fs:[00000030h]	2_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395C073 mov eax, dword ptr fs:[00000030h]	2_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D678E mov eax, dword ptr fs:[00000030h]	2_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039307AF mov eax, dword ptr fs:[00000030h]	2_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E47A0 mov eax, dword ptr fs:[00000030h]	2_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B07C3 mov eax, dword ptr fs:[00000030h]	2_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039347FB mov eax, dword ptr fs:[00000030h]	2_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039527ED mov eax, dword ptr fs:[00000030h]	2_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930710 mov eax, dword ptr fs:[00000030h]	2_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03960710 mov eax, dword ptr fs:[00000030h]	2_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C700 mov eax, dword ptr fs:[00000030h]	2_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov ecx, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396273C mov eax, dword ptr fs:[00000030h]	2_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AC730 mov eax, dword ptr fs:[00000030h]	2_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C720 mov eax, dword ptr fs:[00000030h]	2_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930750 mov eax, dword ptr fs:[00000030h]	2_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE75D mov eax, dword ptr fs:[00000030h]	2_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972750 mov eax, dword ptr fs:[00000030h]	2_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B4755 mov eax, dword ptr fs:[00000030h]	2_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov esi, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396674D mov eax, dword ptr fs:[00000030h]	2_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938770 mov eax, dword ptr fs:[00000030h]	2_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940770 mov eax, dword ptr fs:[00000030h]	2_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03934690 mov eax, dword ptr fs:[00000030h]	2_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039666B0 mov eax, dword ptr fs:[00000030h]	2_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B06F1 mov eax, dword ptr fs:[00000030h]	2_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03972619 mov eax, dword ptr fs:[00000030h]	2_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE609 mov eax, dword ptr fs:[00000030h]	2_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394260B mov eax, dword ptr fs:[00000030h]	2_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394E627 mov eax, dword ptr fs:[00000030h]	2_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03966620 mov eax, dword ptr fs:[00000030h]	2_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968620 mov eax, dword ptr fs:[00000030h]	2_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393262C mov eax, dword ptr fs:[00000030h]	2_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0394C640 mov eax, dword ptr fs:[00000030h]	2_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03962674 mov eax, dword ptr fs:[00000030h]	2_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F866E mov eax, dword ptr fs:[00000030h]	2_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A660 mov eax, dword ptr fs:[00000030h]	2_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E59C mov eax, dword ptr fs:[00000030h]	2_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov eax, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03932582 mov ecx, dword ptr fs:[00000030h]	2_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964588 mov eax, dword ptr fs:[00000030h]	2_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039545B1 mov eax, dword ptr fs:[00000030h]	2_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B05A7 mov eax, dword ptr fs:[00000030h]	2_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039365D0 mov eax, dword ptr fs:[00000030h]	2_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E5CF mov eax, dword ptr fs:[00000030h]	2_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039325E0 mov eax, dword ptr fs:[00000030h]	2_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C5ED mov eax, dword ptr fs:[00000030h]	2_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6500 mov eax, dword ptr fs:[00000030h]	2_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04500 mov eax, dword ptr fs:[00000030h]	2_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940535 mov eax, dword ptr fs:[00000030h]	2_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E53E mov eax, dword ptr fs:[00000030h]	2_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938550 mov eax, dword ptr fs:[00000030h]	2_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396656A mov eax, dword ptr fs:[00000030h]	2_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA49A mov eax, dword ptr fs:[00000030h]	2_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039644B0 mov ecx, dword ptr fs:[00000030h]	2_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039364AB mov eax, dword ptr fs:[00000030h]	2_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039304E5 mov ecx, dword ptr fs:[00000030h]	2_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968402 mov eax, dword ptr fs:[00000030h]	2_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396A430 mov eax, dword ptr fs:[00000030h]	2_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392E420 mov eax, dword ptr fs:[00000030h]	2_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392C427 mov eax, dword ptr fs:[00000030h]	2_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B6420 mov eax, dword ptr fs:[00000030h]	2_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039EA456 mov eax, dword ptr fs:[00000030h]	2_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392645D mov eax, dword ptr fs:[00000030h]	2_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395245A mov eax, dword ptr fs:[00000030h]	2_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396E443 mov eax, dword ptr fs:[00000030h]	2_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395A470 mov eax, dword ptr fs:[00000030h]	2_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC460 mov ecx, dword ptr fs:[00000030h]	2_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940BBE mov eax, dword ptr fs:[00000030h]	2_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03950BCB mov eax, dword ptr fs:[00000030h]	2_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930BCD mov eax, dword ptr fs:[00000030h]	2_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938BF0 mov eax, dword ptr fs:[00000030h]	2_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EBFC mov eax, dword ptr fs:[00000030h]	2_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AEB1D mov eax, dword ptr fs:[00000030h]	2_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04B00 mov eax, dword ptr fs:[00000030h]	2_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EB20 mov eax, dword ptr fs:[00000030h]	2_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039F8B28 mov eax, dword ptr fs:[00000030h]	2_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928B50 mov eax, dword ptr fs:[00000030h]	2_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEB50 mov eax, dword ptr fs:[00000030h]	2_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039E4B4B mov eax, dword ptr fs:[00000030h]	2_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C6B40 mov eax, dword ptr fs:[00000030h]	2_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FAB40 mov eax, dword ptr fs:[00000030h]	2_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D8B42 mov eax, dword ptr fs:[00000030h]	2_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0392CB7E mov eax, dword ptr fs:[00000030h]	2_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A02B57 mov eax, dword ptr fs:[00000030h]	2_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03968A90 mov edx, dword ptr fs:[00000030h]	2_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393EA80 mov eax, dword ptr fs:[00000030h]	2_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04A80 mov eax, dword ptr fs:[00000030h]	2_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03938AA0 mov eax, dword ptr fs:[00000030h]	2_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986AA4 mov eax, dword ptr fs:[00000030h]	2_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930AD0 mov eax, dword ptr fs:[00000030h]	2_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03964AD0 mov eax, dword ptr fs:[00000030h]	2_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03986ACC mov eax, dword ptr fs:[00000030h]	2_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396AAEE mov eax, dword ptr fs:[00000030h]	2_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BCA11 mov eax, dword ptr fs:[00000030h]	2_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03954A35 mov eax, dword ptr fs:[00000030h]	2_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA38 mov eax, dword ptr fs:[00000030h]	2_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA24 mov eax, dword ptr fs:[00000030h]	2_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395EA2E mov eax, dword ptr fs:[00000030h]	2_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03936A50 mov eax, dword ptr fs:[00000030h]	2_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03940A5B mov eax, dword ptr fs:[00000030h]	2_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039ACA72 mov eax, dword ptr fs:[00000030h]	2_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396CA6F mov eax, dword ptr fs:[00000030h]	2_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039DEA60 mov eax, dword ptr fs:[00000030h]	2_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov esi, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B89B3 mov eax, dword ptr fs:[00000030h]	2_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039429A0 mov eax, dword ptr fs:[00000030h]	2_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039309AD mov eax, dword ptr fs:[00000030h]	2_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039649D0 mov eax, dword ptr fs:[00000030h]	2_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C69C0 mov eax, dword ptr fs:[00000030h]	2_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039629F9 mov eax, dword ptr fs:[00000030h]	2_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC912 mov eax, dword ptr fs:[00000030h]	2_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03928918 mov eax, dword ptr fs:[00000030h]	2_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039AE908 mov eax, dword ptr fs:[00000030h]	2_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B892A mov eax, dword ptr fs:[00000030h]	2_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039C892B mov eax, dword ptr fs:[00000030h]	2_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039B0946 mov eax, dword ptr fs:[00000030h]	2_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A04940 mov eax, dword ptr fs:[00000030h]	2_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039D4978 mov eax, dword ptr fs:[00000030h]	2_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC97C mov eax, dword ptr fs:[00000030h]	2_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03956962 mov eax, dword ptr fs:[00000030h]	2_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov edx, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0397096E mov eax, dword ptr fs:[00000030h]	2_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC89D mov eax, dword ptr fs:[00000030h]	2_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03930887 mov eax, dword ptr fs:[00000030h]	2_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A008C0 mov eax, dword ptr fs:[00000030h]	2_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039BC810 mov eax, dword ptr fs:[00000030h]	2_2_039BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov ecx, dword ptr fs:[00000030h]	2_2_03952835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03952835 mov eax, dword ptr fs:[00000030h]	2_2_03952835

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CE81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00CE81F7

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00CBA395
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00CBA364 SetUnhandledExceptionFilter,		0_2_00CBA364

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FC0008

Jump to behavior

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CE8C93 LogonUserW,

0_2_00CE8C93

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C93B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C93B4C

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C94A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00C94A35

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CF4EC9 mouse_event,

0_2_00CF4EC9

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\67qCH13C8n.exe"

Jump to behavior

Source: C:\Users\user\Desktop\67qCH13C8n.exe

0_2_00CE81F7

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CF4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CF4C03

Source: 67qCH13C8n.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 67qCH13C8n.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CB886B cpuid

0_2_00CB886B

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CC50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CC50D7

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CD2230 GetUserNameW,

0_2_00CD2230

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00CC418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00CC418A

Source: C:\Users\user\Desktop\67qCH13C8n.exe

Code function: 0_2_00C94AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C94AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 67qCH13C8n.exe	Binary or memory string: WIN_81
Source: 67qCH13C8n.exe	Binary or memory string: WIN_XP
Source: 67qCH13C8n.exe	Binary or memory string: WIN_XPe
Source: 67qCH13C8n.exe	Binary or memory string: WIN_VISTA
Source: 67qCH13C8n.exe	Binary or memory string: WIN_7
Source: 67qCH13C8n.exe	Binary or memory string: WIN_8
Source: 67qCH13C8n.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D06596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00D06596
Source: C:\Users\user\Desktop\67qCH13C8n.exe	Code function: 0_2_00D06A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00D06A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	15 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
67qCH13C8n.exe	70%	Virustotal		Browse
67qCH13C8n.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
67qCH13C8n.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588804
Start date and time:	2025-01-11 05:41:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	67qCH13C8n.exe renamed because original name is a hash value
Original Sample Name:	ed897c0a85eebe514a44a8edbf898b7cbeac36b0df22a145addcace14c3b742a.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 46 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
23:42:24	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	Pb4xbhZNjF.exe	Get hash	malicious	FormBook	Browse	192.229.221.95
	229242754773566299.js	Get hash	malicious	Strela Downloader	Browse	192.229.221.95
	GhwFStoMJX.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	AudioCodesAppSuite.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	launcher.exe.bin.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	192.229.221.95
	Shipping Document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	192.229.221.95
	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	1.png	Get hash	malicious	Unknown	Browse	192.229.221.95
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95

Process:	C:\Users\user\Desktop\67qCH13C8n.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.994878489927283
Encrypted:	true
SSDEEP:	6144:CT9XEWh/iFQdPxORhn9Vp4E7se/saCgpGIZuZJtQqA7aNXYQmP:q9Xh/iyJxKx9Vp4E7z/ycZi3QL+NaP
MD5:	0AF9CD3B64A81F96C19F991C9DEDC910
SHA1:	9FCBB314F2B3A71AFE9415109B05E55BA2A6C257
SHA-256:	DC961040F809AE6FC808FE7AC1C148FA9A6CB99CE9519A06D0FE109B66DC0EB0
SHA-512:	3B7FEB7D64F882FB67C76EE8913CE21D6E9938D37A224EA3068F043B81E0E5E3F60C6F0CE4E65F15A0CD6085E7FB5656A1F4506D57382B25C4839530BC9ADAB9
Malicious:	false
Reputation:	low
Preview:	zj...02YM..L....t.YL...rE?...MDPZEJ4M8HXYO770ZF702YMDPZEJ4M.HXYA(.>Z.>...L..{."]>.86(EV]z%V^\69d2?e8A#.!6y.xd.7)SU.T@NtZEJ4M8H!XF..P=..PU.p$7._..(?.U...f&P.(..l:".f$[ e9(.70ZF702Y..PZ.K5MN.I;O770ZF70.YOE[[NJ4.<HXYO770ZF.$2YMTPZE0M8H.YO'70ZD704YMDPZEJ2M8HXYO77P^F722YMDPZGJt.8HHYO'70ZF'02IMDPZEJ$M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ.9]0,YO7..^F7 2YM.TZEZ4M8HXYO770ZF70.YM$PZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMD

C:\Users\user\AppData\Local\Temp\nonagglutinant

Download File

Process:	C:\Users\user\Desktop\67qCH13C8n.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.994878489927283
Encrypted:	true
SSDEEP:	6144:CT9XEWh/iFQdPxORhn9Vp4E7se/saCgpGIZuZJtQqA7aNXYQmP:q9Xh/iyJxKx9Vp4E7z/ycZi3QL+NaP
MD5:	0AF9CD3B64A81F96C19F991C9DEDC910
SHA1:	9FCBB314F2B3A71AFE9415109B05E55BA2A6C257
SHA-256:	DC961040F809AE6FC808FE7AC1C148FA9A6CB99CE9519A06D0FE109B66DC0EB0
SHA-512:	3B7FEB7D64F882FB67C76EE8913CE21D6E9938D37A224EA3068F043B81E0E5E3F60C6F0CE4E65F15A0CD6085E7FB5656A1F4506D57382B25C4839530BC9ADAB9
Malicious:	false
Reputation:	low
Preview:	zj...02YM..L....t.YL...rE?...MDPZEJ4M8HXYO770ZF702YMDPZEJ4M.HXYA(.>Z.>...L..{."]>.86(EV]z%V^\69d2?e8A#.!6y.xd.7)SU.T@NtZEJ4M8H!XF..P=..PU.p$7._..(?.U...f&P.(..l:".f$[ e9(.70ZF702Y..PZ.K5MN.I;O770ZF70.YOE[[NJ4.<HXYO770ZF.$2YMTPZE0M8H.YO'70ZD704YMDPZEJ2M8HXYO77P^F722YMDPZGJt.8HHYO'70ZF'02IMDPZEJ$M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ.9]0,YO7..^F7 2YM.TZEZ4M8HXYO770ZF70.YM$PZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMDPZEJ4M8HXYO770ZF702YMD

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.201742261169651
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	67qCH13C8n.exe
File size:	1'205'760 bytes
MD5:	f305accb1225d9894d92c5204f5dfb1d
SHA1:	5faab4c869f46579a260b109d62ace16916cc3a0
SHA256:	ed897c0a85eebe514a44a8edbf898b7cbeac36b0df22a145addcace14c3b742a
SHA512:	c7d9dc14b2fabc62e8c9791481f3eb0b0e9dc072849e2579417c06d5190dbbf158356d856992abbd05aa374b014144ed0f37f768221e855644eed5918382507a
SSDEEP:	24576:QAHnh+eWsN3skA4RV1Hom2KXMmHaQQaa97OdcCo4P6GTf5:Hh+ZkldoPK8YaQ9MEoE6G
TLSH:	6F45BE0273D6D036FFAB92739B6AB20156BD7D250133852F13982DB9BD701B1263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	6142420142183038

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x676A105D [Tue Dec 24 01:37:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F2CB4B8988Dh
jmp 00007F2CB4B7C644h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2CB4B7C7CAh
cmp edi, eax
jc 00007F2CB4B7CB2Eh
bt dword ptr [004C41FCh], 01h
jnc 00007F2CB4B7C7C9h
rep movsb
jmp 00007F2CB4B7CADCh
cmp ecx, 00000080h
jc 00007F2CB4B7C994h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F2CB4B7C7D0h
bt dword ptr [004BF324h], 01h
jc 00007F2CB4B7CCA0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F2CB4B7C96Dh
test edi, 00000003h
jne 00007F2CB4B7C97Eh
test esi, 00000003h
jne 00007F2CB4B7C95Dh
bt edi, 02h
jnc 00007F2CB4B7C7CFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F2CB4B7C7D3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F2CB4B7C825h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5be24	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5be24	0x5c000	53bd8ee5675263a47e5edf6361b5495f	False	0.9692913552989131	data	7.968060168131395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x1024	Device independent bitmap graphic, 32 x 62 x 32, image size 3968, resolution 4724 x 4724 px/m	English	Great Britain	0.23426911907066797
RT_MENU	0xc97f4	0x50	data	English	Great Britain	0.9
RT_STRING	0xc9844	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xc9dd8	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xca464	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xca8f4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcaef0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcb54c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcb9b4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcbb0c	0x57dfb	data			1.000322283993321
RT_GROUP_ICON	0x123908	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0x12391c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x123930	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x123944	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123958	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x123a34	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:42:35.053677082 CET	1.1.1.1	192.168.2.6	0x4275	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:42:35.053677082 CET	1.1.1.1	192.168.2.6	0x4275	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:42:17
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\67qCH13C8n.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\67qCH13C8n.exe"
Imagebase:	0xc90000
File size:	1'205'760 bytes
MD5 hash:	F305ACCB1225D9894D92C5204F5DFB1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:42:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\67qCH13C8n.exe"
Imagebase:	0x360000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2237744786.0000000003750000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2237420937.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	159

Executed Functions

Function 00C93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C93B7A
IsDebuggerPresent.KERNEL32 ref: 00C93B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00D562F8,00D562E0,?,?), ref: 00C93BFD

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Part of subcall function 00CA0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C93C26,00D562F8,?,?,?), ref: 00CA0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00C93C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00D493F0,00000010), ref: 00CCD4BC
SetCurrentDirectoryW.KERNEL32(?,00D562F8,?,?,?), ref: 00CCD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D45D40,00D562F8,?,?,?), ref: 00CCD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00CCD581

Part of subcall function 00C93A58: GetSysColorBrush.USER32(0000000F), ref: 00C93A62
Part of subcall function 00C93A58: LoadCursorW.USER32(00000000,00007F00), ref: 00C93A71
Part of subcall function 00C93A58: LoadIconW.USER32(00000063), ref: 00C93A88
Part of subcall function 00C93A58: LoadIconW.USER32(000000A4), ref: 00C93A9A
Part of subcall function 00C93A58: LoadIconW.USER32(000000A2), ref: 00C93AAC
Part of subcall function 00C93A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C93AD2
Part of subcall function 00C93A58: RegisterClassExW.USER32(?), ref: 00C93B28

Part of subcall function 00C939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C93A15
Part of subcall function 00C939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C93A36
Part of subcall function 00C939E7: ShowWindow.USER32(00000000,?,?), ref: 00C93A4A
Part of subcall function 00C939E7: ShowWindow.USER32(00000000,?,?), ref: 00C93A53

Part of subcall function 00C943DB: _memset.LIBCMT ref: 00C94401
Part of subcall function 00C943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C944A6

Strings

This is a third-party compiled AutoIt script., xrefs: 00CCD4B4
runas, xrefs: 00CCD575

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 70ba901a87bd60dc7baeeb32e3f834c0335a75b615008f3dd33b71f08df7aa08
Instruction ID: 0a96fc169b43c4db9e446c8c36083c87994362eb0ba4928f3b7359cfa6c87028
Opcode Fuzzy Hash: 70ba901a87bd60dc7baeeb32e3f834c0335a75b615008f3dd33b71f08df7aa08
Instruction Fuzzy Hash: AF51A231908389AECF11EBB4DC0DEED7B74AB05701F044269F826A32A1DB708A46DB35

Function 00C94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C94B2B

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

GetCurrentProcess.KERNEL32(?,00D1FAEC,00000000,00000000,?), ref: 00C94BF8
IsWow64Process.KERNEL32(00000000), ref: 00C94BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C94C45
FreeLibrary.KERNEL32(00000000), ref: 00C94C50
GetSystemInfo.KERNEL32(00000000), ref: 00C94C81
GetSystemInfo.KERNEL32(00000000), ref: 00C94C8D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 338ac97dab82bfac5751a7e9040d5b60e46ae6b5076192cd70cc0bcfe5e9179c
Instruction ID: 9d6c2b4c8c0ecfa8af511ca73cd151887d70ff6b3d2454aa81c01dfaae6369b1
Opcode Fuzzy Hash: 338ac97dab82bfac5751a7e9040d5b60e46ae6b5076192cd70cc0bcfe5e9179c
Instruction Fuzzy Hash: 0491D63154ABC0DFCB35DB78C455AAAFFE4AF25300B444EADD0DB93A01D620EA49D729

Function 00C94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C94EEE,?,?,00000000,00000000), ref: 00C94FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C94EEE,?,?,00000000,00000000), ref: 00C95010
LoadResource.KERNEL32(?,00000000,?,?,00C94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C94F8F), ref: 00CCDD60
SizeofResource.KERNEL32(?,00000000,?,?,00C94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C94F8F), ref: 00CCDD75
LockResource.KERNEL32(00C94EEE,?,?,00C94EEE,?,?,00000000,00000000,?,?,?,?,?,?,00C94F8F,00000000), ref: 00CCDD88

Strings

SCRIPT, xrefs: 00C95006

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41f39c8528439b18b26fa08bbae5d7891b00d28ad57e080c9c6d7025b5f864ab
Instruction ID: 912dcbe3ecb29fde55aab287baab4b7578a9f3650c394ce6f390bd28f5c05d0d
Opcode Fuzzy Hash: 41f39c8528439b18b26fa08bbae5d7891b00d28ad57e080c9c6d7025b5f864ab
Instruction Fuzzy Hash: E2115A75240B00BFDB218B65EC58FA77BB9EBC9B11F20816CF41ACA260DB71E8018670

Function 00CF4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00CCE7C1), ref: 00CF46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00CF46B7
FindClose.KERNEL32(00000000), ref: 00CF46C7

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b29b318ba6cb3b8b2aeec2e654aa130cb0a8e0105903fe0c634ffc1dabb48485
Instruction ID: 39e2f34e129b10e8699ace7e0d9c8d567a392943a2e3f0fd7e9f8d057ae6403e
Opcode Fuzzy Hash: b29b318ba6cb3b8b2aeec2e654aa130cb0a8e0105903fe0c634ffc1dabb48485
Instruction Fuzzy Hash: 85E0D8314105056B42146778EC4D4FB775CDE06335F104715FA35C12E0EBB0595085AA

Function 00CA0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA0BBB
timeGetTime.WINMM ref: 00CA0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CA0FB3
TranslateMessage.USER32(?), ref: 00CA0FC7
DispatchMessageW.USER32(?), ref: 00CA0FD5
Sleep.KERNEL32(0000000A), ref: 00CA0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00CA105A
DestroyWindow.USER32 ref: 00CA1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CA1080
Sleep.KERNEL32(0000000A,?,?), ref: 00CD52AD
TranslateMessage.USER32(?), ref: 00CD608A
DispatchMessageW.USER32(?), ref: 00CD6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00CD60AC

Strings

@COM_EVENTOBJ, xrefs: 00CD591A
@TRAY_ID, xrefs: 00CD5BB9
@GUI_CTRLID, xrefs: 00CD5364
@GUI_WINHANDLE, xrefs: 00CD53B9
@GUI_CTRLHANDLE, xrefs: 00CD540E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 58da76d9c4abe32646881019a8f1ae817d2d89532bb9e528f7b14d0029d9f17a
Instruction ID: dd67fdbc1f18b1f9d40057bec7c3b9afb817f4b37d7c72a829e7bc6c47bb39f8
Opcode Fuzzy Hash: 58da76d9c4abe32646881019a8f1ae817d2d89532bb9e528f7b14d0029d9f17a
Instruction Fuzzy Hash: 02B2E270608741DFDB24DF24C884BAAB7E0BF85308F24491EF59A873A1DB70E945DB92

Function 00CF93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF91E9: __time64.LIBCMT ref: 00CF91F3

Part of subcall function 00C95045: _fseek.LIBCMT ref: 00C9505D

__wsplitpath.LIBCMT ref: 00CF94BE

Part of subcall function 00CB432E: __wsplitpath_helper.LIBCMT ref: 00CB436E

_wcscpy.LIBCMT ref: 00CF94D1
_wcscat.LIBCMT ref: 00CF94E4
__wsplitpath.LIBCMT ref: 00CF9509
_wcscat.LIBCMT ref: 00CF951F
_wcscat.LIBCMT ref: 00CF9532

Part of subcall function 00CF922F: _memmove.LIBCMT ref: 00CF9268
Part of subcall function 00CF922F: _memmove.LIBCMT ref: 00CF9277

_wcscmp.LIBCMT ref: 00CF9479

Part of subcall function 00CF99BE: _wcscmp.LIBCMT ref: 00CF9AAE
Part of subcall function 00CF99BE: _wcscmp.LIBCMT ref: 00CF9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CF96DC
_wcsncpy.LIBCMT ref: 00CF974F
DeleteFileW.KERNEL32(?,?), ref: 00CF9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CF979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CF97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CF97BE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c7f408bf8cc814ed1903f8c54d752701d504044c769c6e0df50ab13cc84390f8
Instruction ID: acf37b4453541a001c920d60cdec127a5818f46b5b415d72a869c2ec7e644ab2
Opcode Fuzzy Hash: c7f408bf8cc814ed1903f8c54d752701d504044c769c6e0df50ab13cc84390f8
Instruction Fuzzy Hash: 0CC119B190022DAADF61DF95CC85AEEB7BDEF45300F0040AAF609E6151DB709A849F66

Function 00C93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C93074
RegisterClassExW.USER32(00000030), ref: 00C9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C930AF
InitCommonControlsEx.COMCTL32(?), ref: 00C930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C930DC
LoadIconW.USER32(000000A9), ref: 00C930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C93101

Strings

AutoIt v3 GUI, xrefs: 00C93090
0, xrefs: 00C93056
+, xrefs: 00C9305D
TaskbarCreated, xrefs: 00C930A4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 802c8bf12c7bdf8f3d458af5c0ce971cdc420dd563211202867b009ff38a14d7
Instruction ID: afc48fe46783c6bb1501b5d36e93908dff62efecc0959708d2f946c98eba9276
Opcode Fuzzy Hash: 802c8bf12c7bdf8f3d458af5c0ce971cdc420dd563211202867b009ff38a14d7
Instruction Fuzzy Hash: 97312AB1945309AFDB40DFA4E885AC9BFF0FB09311F10856AE990E63A0D7B94586CF61

Function 00C93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C93074
RegisterClassExW.USER32(00000030), ref: 00C9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C930AF
InitCommonControlsEx.COMCTL32(?), ref: 00C930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C930DC
LoadIconW.USER32(000000A9), ref: 00C930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C93101

Strings

AutoIt v3 GUI, xrefs: 00C93090
0, xrefs: 00C93056
+, xrefs: 00C9305D
TaskbarCreated, xrefs: 00C930A4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3e93e9c5f435b0a768182164e56d27aed500eb3a7c2344cba72130109fedcda4
Instruction ID: f8230ac4f689933d97ac2b7b92b085bdd7ca0decfc749ef2bb0e72aad72dffa2
Opcode Fuzzy Hash: 3e93e9c5f435b0a768182164e56d27aed500eb3a7c2344cba72130109fedcda4
Instruction Fuzzy Hash: 6D21AFB1901318AFDB00DFA4E889BDDBBB4FB08711F50852AE914E73A0DBB585458FA5

Function 00C971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C94864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D562F8,?,00C937C0,?), ref: 00C94882

Part of subcall function 00CB074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C972C5), ref: 00CB0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C97308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CCECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CCED32
RegCloseKey.ADVAPI32(?), ref: 00CCED70
_wcscat.LIBCMT ref: 00CCEDC9

Strings

\, xrefs: 00CCEDEC
\Include\, xrefs: 00C972C5
Software\AutoIt v3\AutoIt, xrefs: 00C972FE
Include, xrefs: 00CCECE8, 00CCED29

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: eab63512fafc5b268c8f0c75e62c0fa81958a9ebc7ea053cde4de263ef466696
Instruction ID: 56d6ea784a8fe98f527a09394727eae3c5c799ba95e61123e3bdb9a3dd2a9d7a
Opcode Fuzzy Hash: eab63512fafc5b268c8f0c75e62c0fa81958a9ebc7ea053cde4de263ef466696
Instruction Fuzzy Hash: B9719C7140D301AEC710EF65EC859ABBBE8FF59340F54492EF845C32A0EB309A48DB66

Function 00C93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C93A62
LoadCursorW.USER32(00000000,00007F00), ref: 00C93A71
LoadIconW.USER32(00000063), ref: 00C93A88
LoadIconW.USER32(000000A4), ref: 00C93A9A
LoadIconW.USER32(000000A2), ref: 00C93AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C93AD2
RegisterClassExW.USER32(?), ref: 00C93B28

Part of subcall function 00C93041: GetSysColorBrush.USER32(0000000F), ref: 00C93074
Part of subcall function 00C93041: RegisterClassExW.USER32(00000030), ref: 00C9309E
Part of subcall function 00C93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C930AF
Part of subcall function 00C93041: InitCommonControlsEx.COMCTL32(?), ref: 00C930CC
Part of subcall function 00C93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C930DC
Part of subcall function 00C93041: LoadIconW.USER32(000000A9), ref: 00C930F2
Part of subcall function 00C93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C93101

Strings

#, xrefs: 00C93B0D
0, xrefs: 00C93B06
AutoIt v3, xrefs: 00C93B17

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a904231babd5a44e943eced2256efcdc10adf5cf01e51f90b4a8c64b45468027
Instruction ID: 2fec471746308c8e47dbfbe493c954f3456bca025c3279daa36d27b90f55e69a
Opcode Fuzzy Hash: a904231babd5a44e943eced2256efcdc10adf5cf01e51f90b4a8c64b45468027
Instruction Fuzzy Hash: F0210871900304BBEB109FA4EC09B9D7BB4EB08712F50412AE904E73A0DBB69654DFA8

Function 00C93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00C936D2
KillTimer.USER32(?,00000001), ref: 00C936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C9372A
CreatePopupMenu.USER32 ref: 00C9373E
PostQuitMessage.USER32(00000000), ref: 00C9375F

Strings

TaskbarCreated, xrefs: 00C93725

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: e1c73eda28b980d1ede8951e142d12a33b6537c686a9312c82abf14681787792
Instruction ID: 37b6a70613a69640c5943d0794af952e5d81aa4c64dab3771e98a37d8259e780
Opcode Fuzzy Hash: e1c73eda28b980d1ede8951e142d12a33b6537c686a9312c82abf14681787792
Instruction Fuzzy Hash: B241C1B2204385BBDF245BA4ED0DBB93A65EB41301F140129FE12D63E1CB60DF55A676

Function 00C93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00C93834
CMDLINERAW, xrefs: 00C9380D
/AutoIt3OutputDebug, xrefs: 00C938A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00C937C0
/ErrorStdOut, xrefs: 00C9388F
/AutoIt3ExecuteLine, xrefs: 00C938B9
/AutoIt3ExecuteScript, xrefs: 00C938CE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 61e936612f200ba437cf3f97ce7428a8355f7af24c22c39ec5addb13385c038b
Instruction ID: cb3eb6b10d08e116728073682038a11756578d616e377830643523af43e71d48
Opcode Fuzzy Hash: 61e936612f200ba437cf3f97ce7428a8355f7af24c22c39ec5addb13385c038b
Instruction Fuzzy Hash: CCA15D72810269ABCF14EFA4DC99EEEB778FF14300F44052AF416A7191EF749A09DB64

Function 0168FE10 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0168FEE1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01690107

Memory Dump Source

Source File: 00000000.00000002.2171101949.000000000168D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_67qCH13C8n.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 8ff1540ba57e1f33713a34eff6a258aa8d130a1dbe67573880d50fc49cee067d
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: C1A1F974E00209EBDF14DFA8C894BEEBBB9FF48305F208559E505BB281D7759A81CB94

Function 00C939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C93A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C93A36
ShowWindow.USER32(00000000,?,?), ref: 00C93A4A
ShowWindow.USER32(00000000,?,?), ref: 00C93A53

Strings

AutoIt v3, xrefs: 00C93A0D, 00C93A12, 00C93A13
edit, xrefs: 00C93A30

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4736669b91f5f3ee8396ebe9e35a6a8939e63d454024cb2ad85fb6049bdc06b1
Instruction ID: 977b319213d197bf8654c4017096b2c2466ff25af84ac916bc3a9b1409599a48
Opcode Fuzzy Hash: 4736669b91f5f3ee8396ebe9e35a6a8939e63d454024cb2ad85fb6049bdc06b1
Instruction Fuzzy Hash: E6F0DA716413907EEA3117276C49E672E7DD7C6F51F40412ABD08E33B0CAA55851DAB4

Function 0168FBA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0168FA90: Sleep.KERNELBASE(000001F4), ref: 0168FAA1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0168FD06

Strings

70ZF702YMDPZEJ4M8HXYO7, xrefs: 0168FD6C, 0168FD6F

Memory Dump Source

Source File: 00000000.00000002.2171101949.000000000168D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_67qCH13C8n.jbxd

Similarity

API ID: CreateFileSleep
String ID: 70ZF702YMDPZEJ4M8HXYO7
API String ID: 2694422964-1600784305
Opcode ID: d06649e9dd88425e835ca17542298744727a305b02ceb948a46e91294f8a22d5
Instruction ID: 6af868d3e5798aad11d8d0eb11ef356b40f796cbd3bbb7ef95909584ee49e2f9
Opcode Fuzzy Hash: d06649e9dd88425e835ca17542298744727a305b02ceb948a46e91294f8a22d5
Instruction Fuzzy Hash: D361A531D04289DBEF11DBA4C854BEEBB79AF19304F004199E609BB2C0D7BA1B45CB66

Function 00C9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CCD5EC

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

_memset.LIBCMT ref: 00C9418D
_wcscpy.LIBCMT ref: 00C941E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C941F1

Strings

Line: , xrefs: 00CCD615

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 41fa2926042a48eac63e1a63e22262234fd34a85cb938329dc9e2bdd78f71a67
Instruction ID: 30554fcb30fea23e5fb575978303d9f09223f89ef5265f2c20041c357c73c4c1
Opcode Fuzzy Hash: 41fa2926042a48eac63e1a63e22262234fd34a85cb938329dc9e2bdd78f71a67
Instruction Fuzzy Hash: C331ED71009304AEDB25EB60DC4AFDF73E8AF44300F10461EF595931A1EF70A649D7A6

Function 00C969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C94F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C94F6F

_free.LIBCMT ref: 00CCE68C
_free.LIBCMT ref: 00CCE6D3

Part of subcall function 00C96BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C96D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00CCE462
Bad directive syntax error, xrefs: 00CCE6BB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 5509ace55fb43feab1351cbca8b38516dcd62002e784a1bcf1cd9d5ca744a7a6
Instruction ID: 044d44cdbd2f22bdb5e773672223369f7e0d936fc71ea2429cd4b8496069c6b8
Opcode Fuzzy Hash: 5509ace55fb43feab1351cbca8b38516dcd62002e784a1bcf1cd9d5ca744a7a6
Instruction Fuzzy Hash: B3917D71910219AFCF08EFA4C895EEDB7B4FF19314F14456DF816AB2A1EB309A05DB60

Function 00C935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C935A1,SwapMouseButtons,00000004,?), ref: 00C935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C935A1,SwapMouseButtons,00000004,?,?,?,?,00C92754), ref: 00C935F5
RegCloseKey.KERNELBASE(00000000,?,?,00C935A1,SwapMouseButtons,00000004,?,?,?,?,00C92754), ref: 00C93617

Strings

Control Panel\Mouse, xrefs: 00C935D2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 673087b56a45c4707f43418cabc845dc544c2af74dc7c15aa40c34cc2ef41c97
Instruction ID: a0fcff7390a36240cb16a5404e07166b46da9e4740e91b2d8a192d351c94b570
Opcode Fuzzy Hash: 673087b56a45c4707f43418cabc845dc544c2af74dc7c15aa40c34cc2ef41c97
Instruction Fuzzy Hash: E41136B1510248BADF208FA8D848AEABBA8EF04740F008469F805D7210D7719F419764

Function 0168EA90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0168F24B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0168F2E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0168F303

Memory Dump Source

Source File: 00000000.00000002.2171101949.000000000168D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_67qCH13C8n.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
Instruction ID: b668824c621cee29f8163dfe235769ff072a96b7db2aebb7a512e40a5386cbc8
Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
Instruction Fuzzy Hash: AC62EA30A142589BEB24DFA4CC50BDEB776EF58300F1091A9D20DEB394E7759E81CB5A

Function 00CF97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00C95045: _fseek.LIBCMT ref: 00C9505D

Part of subcall function 00CF99BE: _wcscmp.LIBCMT ref: 00CF9AAE
Part of subcall function 00CF99BE: _wcscmp.LIBCMT ref: 00CF9AC1

_free.LIBCMT ref: 00CF992C
_free.LIBCMT ref: 00CF9933
_free.LIBCMT ref: 00CF999E

Part of subcall function 00CB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB9C64), ref: 00CB2FA9
Part of subcall function 00CB2F95: GetLastError.KERNEL32(00000000,?,00CB9C64), ref: 00CB2FBB

_free.LIBCMT ref: 00CF99A6

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 9690ec37a99f3e34c345aaf77278a4aa0a987fee9d6e51b3a8c880d7a8037fbc
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 6C515FB1D04618AFDF249F64CC45BAEBB79EF48310F1004AEB609A7281DB715E80DF59

Function 00CB493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CB49D0
__flush.LIBCMT ref: 00CB49F0
__write.LIBCMT ref: 00CB4A23
__flsbuf.LIBCMT ref: 00CB4A51

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 0b871adb71bb5dd345a5ee6346d47ba516816987fb2ee9932e41103fea4668b8
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: C141B671A487059BDF1CCEA9C8809EF7BAAEF80360F24817DE865C7642D7709E419744

Function 00C973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CCEE62
GetOpenFileNameW.COMDLG32(?), ref: 00CCEEAC

Part of subcall function 00C948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C948A1,?,?,00C937C0,?), ref: 00C948CE

Part of subcall function 00CB09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB09F4

Strings

X, xrefs: 00CCEE7A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 5464e94cb9a7ed4cf22352df19dd10dbb5beecddab93ec8a5cc6e333518f98d1
Instruction ID: 7fb7fe09cc298756f8d0cd605c25093ff399966fb7a0c877f459de2ae1f8d2b9
Opcode Fuzzy Hash: 5464e94cb9a7ed4cf22352df19dd10dbb5beecddab93ec8a5cc6e333518f98d1
Instruction Fuzzy Hash: CB21A8719142589BCF11DF94CC49BEE7BF89F49314F04405AE408E7381DBB45A8E9FA1

Function 00CF9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00CF9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00CF9B99

Strings

aut, xrefs: 00CF9B93

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 70305f904f02ac6cdba7b9d4b744542d0cc8c52a2be9911051cbe99819a4d02b
Instruction ID: a0c6f64c7cd0b7b92fdd7d72e0f3b0bfe315d8af3bf8f1ad4b4198fd51dc4471
Opcode Fuzzy Hash: 70305f904f02ac6cdba7b9d4b744542d0cc8c52a2be9911051cbe99819a4d02b
Instruction Fuzzy Hash: 35D05E7958030DBBDB10DB94DC0EFDA776CE704704F0082A1BE58D21A2DEB455998BA5

Function 00D0CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee21db4a57d1df1ef88f464e8e06dd0a220977c6a30b2bc458fe70c129c3a1b
Instruction ID: bcd88139391ff47f5a80358d0c4e4f7203d076cab942590a2bc553044df0f994
Opcode Fuzzy Hash: 0ee21db4a57d1df1ef88f464e8e06dd0a220977c6a30b2bc458fe70c129c3a1b
Instruction Fuzzy Hash: E1F14B709083419FCB14DF68C484A6ABBE5FF88314F14892EF8999B391DB71E945CF92

Function 00C9F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB03D3
Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB03DB
Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB03E6
Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB03F1
Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB03F9
Part of subcall function 00CB03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB0401

Part of subcall function 00CA6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C9FA90), ref: 00CA62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C9FB2D
OleInitialize.OLE32(00000000), ref: 00C9FBAA
CloseHandle.KERNEL32(00000000), ref: 00CD49F2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: bdd54336a1f544661060d8ee6a93ae81ec0f1771926342e467d4f32b0585697a
Instruction ID: fdea939cc03d72ad26a95aef4cee23b9d9fc11c4d2117080e4d657b09c2b8d7a
Opcode Fuzzy Hash: bdd54336a1f544661060d8ee6a93ae81ec0f1771926342e467d4f32b0585697a
Instruction Fuzzy Hash: 7281B8B09093408FDB84DF79E9446257BE4EBA831A794826ADC19C7372EB71C409CF31

Function 00C943DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C94401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C944A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C944C3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a739cac3b8338a5b6572f3d42ca04836f6a5b31fee7cb118471e24c69912988d
Instruction ID: 14ad33f527a4552b950cd39c1028c5135d35901383b4f7ee5404421f3c4b00da
Opcode Fuzzy Hash: a739cac3b8338a5b6572f3d42ca04836f6a5b31fee7cb118471e24c69912988d
Instruction Fuzzy Hash: AC315EB15047019FDB64DF24D888B9BBBE8BB48305F00092EF99AC3351D775AA45CBA6

Function 00CB594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00CB5963

Part of subcall function 00CBA3AB: __NMSG_WRITE.LIBCMT ref: 00CBA3D2
Part of subcall function 00CBA3AB: __NMSG_WRITE.LIBCMT ref: 00CBA3DC

__NMSG_WRITE.LIBCMT ref: 00CB596A

Part of subcall function 00CBA408: GetModuleFileNameW.KERNEL32(00000000,00D543BA,00000104,?,00000001,00000000), ref: 00CBA49A
Part of subcall function 00CBA408: ___crtMessageBoxW.LIBCMT ref: 00CBA548

Part of subcall function 00CB32DF: ___crtCorExitProcess.LIBCMT ref: 00CB32E5
Part of subcall function 00CB32DF: ExitProcess.KERNEL32 ref: 00CB32EE

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00CB1013,?), ref: 00CB598F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 013359ea43bbdf24c623110da67c8869630229a67dcba266e6ef7623e03c946a
Instruction ID: 0a2282167d3fa70501759778eab0c2275064c013061a0549c58f5f94be6c6ddf
Opcode Fuzzy Hash: 013359ea43bbdf24c623110da67c8869630229a67dcba266e6ef7623e03c946a
Instruction Fuzzy Hash: 4701F531B00B22EEE6212B75EC42BEE72888F41772F10002AF914DA2C1DE709E42A675

Function 00CF9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00CF97D2,?,?,?,?,?,00000004), ref: 00CF9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00CF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00CF9B5B
CloseHandle.KERNEL32(00000000,?,00CF97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00CF9B62

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 3cc539ae32ad8a0e9712add27082edab00d4c448fb8aa1bd3f023b8db4d9e0ff
Instruction ID: 7066a3fc389cc1f485e4017000b3588a94eee6df763dcca7d26e74412cc7b0a7
Opcode Fuzzy Hash: 3cc539ae32ad8a0e9712add27082edab00d4c448fb8aa1bd3f023b8db4d9e0ff
Instruction Fuzzy Hash: 1EE08632580714B7DB311B54EC09FDA7B28EB05761F108220FB24A91E0CBB1265297A8

Function 00CF8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00CF8FA5

Part of subcall function 00CB2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00CB9C64), ref: 00CB2FA9
Part of subcall function 00CB2F95: GetLastError.KERNEL32(00000000,?,00CB9C64), ref: 00CB2FBB

_free.LIBCMT ref: 00CF8FB6
_free.LIBCMT ref: 00CF8FC8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: d6ca4922a6a579bddece169bbc2c3eb910967d1f38406ff15907d507aaee55e3
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 16E0C2A12087114ECA24A5F8AD04AF317EE0F48350B08080DB519DB142CE24E940A024

Function 00C9AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00CD002B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: d347fd56f7ebbdefb8297b3609e8881043cc3b4a21db60f9430806738ac12838
Instruction ID: b83241bf345714f4e4c040f0782b553eaae0b75ad6a2d51dc20e27c6bd8ce105
Opcode Fuzzy Hash: d347fd56f7ebbdefb8297b3609e8881043cc3b4a21db60f9430806738ac12838
Instruction Fuzzy Hash: 58223770508241DFCB24DF18C598B6ABBE1FF85304F24895DE99A8B362D731ED85DB82

Function 00C94DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C94E1A

Strings

EA06, xrefs: 00CCDCF5

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 84898d3157c503c721e35cbe3fb8d2e3b60c23dcf49c719f2376024c9e825b14
Instruction ID: 0227f2afd2d4c49c4196f6baf37b16486e979cc6452bb3f412f618c03175c6e5
Opcode Fuzzy Hash: 84898d3157c503c721e35cbe3fb8d2e3b60c23dcf49c719f2376024c9e825b14
Instruction Fuzzy Hash: 27419E31A045545BCF2A9F64C859FBFFFA6AF01300F2840B5FC829B282D6318E4693E1

Function 00C97BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C97C0B
_memmove.LIBCMT ref: 00C97C76

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction ID: 182fa6986c1e2385bfcf158818d8c746a76214889f1d38ba84512cd70bd14215
Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
Instruction Fuzzy Hash: 5531D6B1715506AFCB14DF68D8D1E69F3A9FF48310B15872DE925CB291DB30E960CB90

Function 00C9492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00C94992

Part of subcall function 00CB35AC: __lock.LIBCMT ref: 00CB35B2
Part of subcall function 00CB35AC: DecodePointer.KERNEL32(00000001,?,00C949A7,00CE81BC), ref: 00CB35BE
Part of subcall function 00CB35AC: EncodePointer.KERNEL32(?,?,00C949A7,00CE81BC), ref: 00CB35C9

Part of subcall function 00C94A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C94A73
Part of subcall function 00C94A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C94A88

Part of subcall function 00C93B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C93B7A
Part of subcall function 00C93B4C: IsDebuggerPresent.KERNEL32 ref: 00C93B8C
Part of subcall function 00C93B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D562F8,00D562E0,?,?), ref: 00C93BFD
Part of subcall function 00C93B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00C93C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C949D2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 66ff612ccf49ed76c5fe791f5fcea1630db3fab628f6bdc676074e668be61d79
Instruction ID: a9fc033b21836cf1c571790d209f754f23bf27aac085e83893a0d500e7319e03
Opcode Fuzzy Hash: 66ff612ccf49ed76c5fe791f5fcea1630db3fab628f6bdc676074e668be61d79
Instruction Fuzzy Hash: AE118C719083519BC700DF69EC0994EBBE8EB94711F00851EF845C33B1DB70DA55DBAA

Function 00CB0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CB594C: __FF_MSGBANNER.LIBCMT ref: 00CB5963
Part of subcall function 00CB594C: __NMSG_WRITE.LIBCMT ref: 00CB596A
Part of subcall function 00CB594C: RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00CB1013,?), ref: 00CB598F

std::exception::exception.LIBCMT ref: 00CB102C
__CxxThrowException@8.LIBCMT ref: 00CB1041

Part of subcall function 00CB87DB: RaiseException.KERNEL32(?,?,?,00D4BAF8,00000000,?,?,?,?,00CB1046,?,00D4BAF8,?,00000001), ref: 00CB8830

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 783781a7a5a0d76100283f25740e2ecea34ae20a41419ca7ce5a79d213cebfc1
Instruction ID: 8d83b5863981873721fb197a16b2e35bc16c56caece334d19ea36d6dcb77c0f5
Opcode Fuzzy Hash: 783781a7a5a0d76100283f25740e2ecea34ae20a41419ca7ce5a79d213cebfc1
Instruction Fuzzy Hash: BAF0F43454422DA6CB20BA98FC16AEF7BAC9F00364F500026FC14A2281DFB08B84E2E0

Function 00CB55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

__lock_file.LIBCMT ref: 00CB561B

Part of subcall function 00CB6E4E: __lock.LIBCMT ref: 00CB6E71

__fclose_nolock.LIBCMT ref: 00CB5626

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 61fe4ae4e0b81b2030772d49c521b698c8d34cc9350d4f52d5162b7d74224968
Instruction ID: 0db30e07fc0f562180074efeb5c5a224f34dd9414e8d85c5618d75da96dda215
Opcode Fuzzy Hash: 61fe4ae4e0b81b2030772d49c521b698c8d34cc9350d4f52d5162b7d74224968
Instruction Fuzzy Hash: 85F0B471901A059BDB20AF758C427EE77A56F50334F598209F424AB2C1CF7C8A06EF55

Function 0168EA8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0168F24B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0168F2E1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0168F303

Memory Dump Source

Source File: 00000000.00000002.2171101949.000000000168D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_67qCH13C8n.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: 6f51e9ac8b3c9dd3ffebe2381af21bb0cfbbb5edf8e43f3b4ed4a2b1e6f41246
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: A312CF24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00CB0E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00CB0EF7

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: af8051bcbe9156f26b904b9cd0f883911a3e77db21277d518c2315bee053d8a8
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B631D270A00145DBDB18DF59C4809AAF7A6FF59300F748AA5E45ACB661DB31EEC1CB80

Function 00CD00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00CD00E1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: fadabaf29cb8c92e8dc648c64946110a7bafccc507923c0e59edb9cabf197e18
Instruction ID: 3c418a637947acafb32b06e41044d8376b1cf216a383e91485cff051dd81e6b7
Opcode Fuzzy Hash: fadabaf29cb8c92e8dc648c64946110a7bafccc507923c0e59edb9cabf197e18
Instruction Fuzzy Hash: 9B411874508351DFDB24DF18C488B1ABBE0BF45318F19889DE9998B362C732EC95CB92

Function 00C97CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C97D13

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f5b3ccfbb86e38b72288f386c1d156a836934d764bd327bb34067a5b1f5e31e0
Instruction ID: 8c0aef77ae061c01e2ae5ecea0eb2921775c859906f97a64307da230ec320875
Opcode Fuzzy Hash: f5b3ccfbb86e38b72288f386c1d156a836934d764bd327bb34067a5b1f5e31e0
Instruction Fuzzy Hash: 43214F32614609EBEF104F25FC46B797BB8FF10750F25856EE882C51A1EB30C5E29716

Function 00C94F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C94D13: FreeLibrary.KERNEL32(00000000,?), ref: 00C94D4D

Part of subcall function 00CB548B: __wfsopen.LIBCMT ref: 00CB5496

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C94F6F

Part of subcall function 00C94CC8: FreeLibrary.KERNEL32(00000000), ref: 00C94D02

Part of subcall function 00C94DD0: _memmove.LIBCMT ref: 00C94E1A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 12ae5c6f0545483a59ed2314fd47bab9f36dd9dd7288e5290f5fcc7dc2bccdd9
Instruction ID: 7a262498a7d6c672af4b6dac7c0839caff0bcd27375d8c35920d79f942936f76
Opcode Fuzzy Hash: 12ae5c6f0545483a59ed2314fd47bab9f36dd9dd7288e5290f5fcc7dc2bccdd9
Instruction Fuzzy Hash: 35110A3260070AABCF18FF74DC0AFAE77A59F44701F10852DF542A71C1EE719A06ABA0

Function 00CD01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00CD01BB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5bdf23269bdd12fdc3217c9646ab5e729573b83a736b586b7253b7f66a9659df
Instruction ID: 271b2bc2ab1af88bed59dc65f7cbf1ba4a48dee624fd69cfd9c6caceb6bf5eff
Opcode Fuzzy Hash: 5bdf23269bdd12fdc3217c9646ab5e729573b83a736b586b7253b7f66a9659df
Instruction Fuzzy Hash: 992122B4508341DFCB24DF54C488B5ABBE0BF88304F08896CE99A47721D731E855DBA2

Function 00CB4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00CB4AD6

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9af630fbb662d0d1c79561b5d1e366193eea7da32604e8f8ff03a89a330bbd7f
Instruction ID: c285865988f9806e2a39b76350e5ee9b266510c6343b54295c3d880eb160a1e8
Opcode Fuzzy Hash: 9af630fbb662d0d1c79561b5d1e366193eea7da32604e8f8ff03a89a330bbd7f
Instruction Fuzzy Hash: 4FF0AF31944209ABDF65AFB4CC067EF36A9AF00725F088514F424AA1D3DB78CA54FF55

Function 00C94FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C94FDE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8e0e99bb7da5d6fc2b06551a0b4f5214b185235254de2d0214a2024c197b1d21
Instruction ID: b0c6506461119c4e6e55c7a8ec4906d2cc7d8c03e7cbd7f5a5317aa2c1bb7695
Opcode Fuzzy Hash: 8e0e99bb7da5d6fc2b06551a0b4f5214b185235254de2d0214a2024c197b1d21
Instruction Fuzzy Hash: 46F03971105712DFCB389FA5E498C52BBE1BF0432A3208A3EE5EA82610C731A986DF50

Function 00CB09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00CB09F4

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b145d66a99b48329ffb62b17ada817b7960bb150d6b9a01a471f921d9009bdd4
Instruction ID: 7eb1005108463582f2b662cf9098d0adf39a1bee13c47e1402bc8bad921e339d
Opcode Fuzzy Hash: b145d66a99b48329ffb62b17ada817b7960bb150d6b9a01a471f921d9009bdd4
Instruction Fuzzy Hash: 66E0867690522857C720D6989C05FFA77ADDF89690F0441B5FC0CD7205D9619C818690

Function 00CB548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00CB5496

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 248743afb3dd60abaee8619061fb178a2720fbcb3127f5ddb8a059e8fb5bebff
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 23B09B7544010C77DE011D41EC02B553B195740774F404010FB0C18161957395605585

Function 0168FA90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0168FAA1

Memory Dump Source

Source File: 00000000.00000002.2171101949.000000000168D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_168d000_67qCH13C8n.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: db182feeec47a3a5a6e15b56c3dddea7851dfaff94cad23bb0e2aa096db57108
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 35E0E67594010DDFDB00EFB4D94969E7FB4EF04301F1006A5FD01D2281D6309D508A62

Non-executed Functions

Function 00D1CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00D1CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D1CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00D1CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D1CF00
SendMessageW.USER32 ref: 00D1CF29
_wcsncpy.LIBCMT ref: 00D1CFA1
GetKeyState.USER32(00000011), ref: 00D1CFC2
GetKeyState.USER32(00000009), ref: 00D1CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00D1CFE5
GetKeyState.USER32(00000010), ref: 00D1CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D1D018
SendMessageW.USER32 ref: 00D1D03F
SendMessageW.USER32(?,00001030,?,00D1B602), ref: 00D1D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00D1D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00D1D16E
SetCapture.USER32(?), ref: 00D1D177
ClientToScreen.USER32(?,?), ref: 00D1D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00D1D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D1D203
ReleaseCapture.USER32 ref: 00D1D20E
GetCursorPos.USER32(?), ref: 00D1D248
ScreenToClient.USER32(?,?), ref: 00D1D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D1D2B1
SendMessageW.USER32 ref: 00D1D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D1D31C
SendMessageW.USER32 ref: 00D1D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00D1D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00D1D37B
GetCursorPos.USER32(?), ref: 00D1D39B
ScreenToClient.USER32(?,?), ref: 00D1D3A8
GetParent.USER32(?), ref: 00D1D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00D1D431
SendMessageW.USER32 ref: 00D1D462
ClientToScreen.USER32(?,?), ref: 00D1D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D1D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00D1D51A
SendMessageW.USER32 ref: 00D1D53D
ClientToScreen.USER32(?,?), ref: 00D1D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00D1D5C3

Part of subcall function 00C925DB: GetWindowLongW.USER32(?,000000EB), ref: 00C925EC

GetWindowLongW.USER32(?,000000F0), ref: 00D1D65F

Strings

@GUI_DRAGID, xrefs: 00D1D1AA
F, xrefs: 00D1D543

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 57d673b2213a7bac78a599217ebb15f8bdb43c70bddddd9da6cfe5834e747dcd
Instruction ID: 36677c7d4d5c9b5cef3654840be242e0fa7465071abf873b7849d8480766224a
Opcode Fuzzy Hash: 57d673b2213a7bac78a599217ebb15f8bdb43c70bddddd9da6cfe5834e747dcd
Instruction Fuzzy Hash: 61428E30244341BFDB25CF28E844AAABBE6FF49314F184519F695C73A1CB31D895DBA2

Function 00D1804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00D1873F

Strings

%d/%02d/%02d, xrefs: 00D18478

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: abad9a3bc53759bee1a28097e574e6659f2b2f5aa721eafba93315d55cab4a7b
Instruction ID: 8f121d4ca831d74eb591210fddbe61f1bf66edee2ac6e0adf1b01c5f4151102c
Opcode Fuzzy Hash: abad9a3bc53759bee1a28097e574e6659f2b2f5aa721eafba93315d55cab4a7b
Instruction Fuzzy Hash: AA12AF71600344BBEB25DF64EC49FEA7BB9EB45710F244129F915EA2E1DF708981EB20

Function 00CA710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CA75C2
_memset.LIBCMT ref: 00CA76B1
_memmove.LIBCMT ref: 00CA7C4B
_memmove.LIBCMT ref: 00CA7E4F

Strings

DEFINE, xrefs: 00CE25AF
Q\E, xrefs: 00CA81C1
\b(?<=\w), xrefs: 00CE3C41
\b(?=\w), xrefs: 00CE3C34
[:<:]], xrefs: 00CA75F1
[:>:]], xrefs: 00CA760A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: c3d2a299c664da18a035abd8ed2fb14f29b570210fa1d2d9d8497ed94e95cc83
Instruction ID: 10f087b0ea3e96d42557257594c3ef75f0d9067f7933cce2020bb4f37fd55e85
Opcode Fuzzy Hash: c3d2a299c664da18a035abd8ed2fb14f29b570210fa1d2d9d8497ed94e95cc83
Instruction Fuzzy Hash: 4593B271E0025ADFDB24CF99C885BADB7B1FF48314F25816AE955EB280E7709E81CB50

Function 00C94A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00C94A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CCDA8E
IsIconic.USER32(?), ref: 00CCDA97
ShowWindow.USER32(?,00000009), ref: 00CCDAA4
SetForegroundWindow.USER32(?), ref: 00CCDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCDAC4
GetCurrentThreadId.KERNEL32 ref: 00CCDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CCDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00CCDAF8
SetForegroundWindow.USER32(?), ref: 00CCDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCDB10
keybd_event.USER32(00000012,00000000), ref: 00CCDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCDB25
keybd_event.USER32(00000012,00000000), ref: 00CCDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCDB33
keybd_event.USER32(00000012,00000000), ref: 00CCDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCDB42
keybd_event.USER32(00000012,00000000), ref: 00CCDB47
SetForegroundWindow.USER32(?), ref: 00CCDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00CCDB71

Strings

Shell_TrayWnd, xrefs: 00CCDA89

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 5baa90e47788c859c45791a5913035194d1d86414d24a3cf63b0be2808c7b450
Instruction ID: 6365e93a750516b3fc545e0055cb003862b2819a50e5861a32c4c47bd9cbd1e1
Opcode Fuzzy Hash: 5baa90e47788c859c45791a5913035194d1d86414d24a3cf63b0be2808c7b450
Instruction Fuzzy Hash: 3C313571A80318BBEB215F61DC49FBE7E6DEB44B50F114035FA05E62D1DA705D42AAB0

Function 00CE8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00CE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CE8D0D
Part of subcall function 00CE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CE8D3A
Part of subcall function 00CE8CC3: GetLastError.KERNEL32 ref: 00CE8D47

_memset.LIBCMT ref: 00CE889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00CE88ED
CloseHandle.KERNEL32(?), ref: 00CE88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CE8915
GetProcessWindowStation.USER32 ref: 00CE892E
SetProcessWindowStation.USER32(00000000), ref: 00CE8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CE8952

Part of subcall function 00CE8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CE8851), ref: 00CE8728
Part of subcall function 00CE8713: CloseHandle.KERNEL32(?,?,00CE8851), ref: 00CE873A

Strings

winsta0, xrefs: 00CE8910
, xrefs: 00CE88AA
default, xrefs: 00CE894D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: a73f9b61888c3cb1a6b1232a1078e84b02e06670820ef8f884b733227fd3beed
Instruction ID: c04684145d8ab628824b9f0f4e12548bff059756254c1f14d537a2c9a1fa08b4
Opcode Fuzzy Hash: a73f9b61888c3cb1a6b1232a1078e84b02e06670820ef8f884b733227fd3beed
Instruction Fuzzy Hash: 0C812D71900289BFDF11DFA5DC45AEE7B78AF04304F18416AF928B6261DF358A19EB60

Function 00D0425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00D1F910), ref: 00D04284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00D04292
GetClipboardData.USER32(0000000D), ref: 00D0429A
CloseClipboard.USER32 ref: 00D042A6
GlobalLock.KERNEL32(00000000), ref: 00D042C2
CloseClipboard.USER32 ref: 00D042CC
GlobalUnlock.KERNEL32(00000000), ref: 00D042E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00D042EE
GetClipboardData.USER32(00000001), ref: 00D042F6
GlobalLock.KERNEL32(00000000), ref: 00D04303
GlobalUnlock.KERNEL32(00000000), ref: 00D04337
CloseClipboard.USER32 ref: 00D04447

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 64262d13e0635e5a393e186337c0d90a6c1eba47835f9fd7b99eb44c1f4e34fb
Instruction ID: 3f0ca1bda051fa94898f833ed2bed80d7ba6c173ffd86e8ef1c5b5199d76a174
Opcode Fuzzy Hash: 64262d13e0635e5a393e186337c0d90a6c1eba47835f9fd7b99eb44c1f4e34fb
Instruction Fuzzy Hash: 3E518075204301ABD711EF64EC89FAE77A8AF84B00F044529F69AD22E1DF70D9059B76

Function 00CFC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CFC9F8
FindClose.KERNEL32(00000000), ref: 00CFCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CFCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CFCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CFCAAF
__swprintf.LIBCMT ref: 00CFCAFB
__swprintf.LIBCMT ref: 00CFCB3E

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

__swprintf.LIBCMT ref: 00CFCB92

Part of subcall function 00CB38D8: __woutput_l.LIBCMT ref: 00CB3931

__swprintf.LIBCMT ref: 00CFCBE0

Part of subcall function 00CB38D8: __flsbuf.LIBCMT ref: 00CB3953
Part of subcall function 00CB38D8: __flsbuf.LIBCMT ref: 00CB396B

__swprintf.LIBCMT ref: 00CFCC2F
__swprintf.LIBCMT ref: 00CFCC7E
__swprintf.LIBCMT ref: 00CFCCCD

Strings

%4d, xrefs: 00CFCB38
%02d, xrefs: 00CFCB86, 00CFCB90, 00CFCBDE, 00CFCC2D, 00CFCC7C, 00CFCCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00CFCAF5

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 948d9c80b1c7beb3027ddd801aed45d698f7e89e45a727ab4cf5d703fca551f6
Instruction ID: e5875604d100415f74e8bb32b358f0564ca1cba115fa0b3e1057238eae3b30db
Opcode Fuzzy Hash: 948d9c80b1c7beb3027ddd801aed45d698f7e89e45a727ab4cf5d703fca551f6
Instruction Fuzzy Hash: 94A130B1518344ABCB00EFA4C989DAFB7ECFF94700F40491DF596D6191EA34EA08DB62

Function 00CFF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00CFF221
_wcscmp.LIBCMT ref: 00CFF236
_wcscmp.LIBCMT ref: 00CFF24D
GetFileAttributesW.KERNEL32(?), ref: 00CFF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00CFF279
FindNextFileW.KERNEL32(00000000,?), ref: 00CFF291
FindClose.KERNEL32(00000000), ref: 00CFF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00CFF2B8
_wcscmp.LIBCMT ref: 00CFF2DF
_wcscmp.LIBCMT ref: 00CFF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00CFF308
SetCurrentDirectoryW.KERNEL32(00D4A5A0), ref: 00CFF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CFF330
FindClose.KERNEL32(00000000), ref: 00CFF33D
FindClose.KERNEL32(00000000), ref: 00CFF34F

Strings

*.*, xrefs: 00CFF2B3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 39ff7693f87ed20845463fcb117943da58d55556ba6c6a21304840b4382ed36d
Instruction ID: dae939a43a236d210d52b71e59020cd6cb06689a00e47e1eac1841c4c976c270
Opcode Fuzzy Hash: 39ff7693f87ed20845463fcb117943da58d55556ba6c6a21304840b4382ed36d
Instruction Fuzzy Hash: 9031937650021D7FDB50DBB4DC49AEE73ACDF08361F144179E924E31A0EB70DA4ACA65

Function 00D10AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D10BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00D1F910,00000000,?,00000000,?,?), ref: 00D10C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00D10C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00D10D1D
RegCloseKey.ADVAPI32(?), ref: 00D1103D
RegCloseKey.ADVAPI32(00000000), ref: 00D1104A

Strings

REG_QWORD, xrefs: 00D10F8B
REG_EXPAND_SZ, xrefs: 00D10CBA
REG_MULTI_SZ, xrefs: 00D10E05
REG_SZ, xrefs: 00D10D5B
REG_DWORD, xrefs: 00D10F0E
REG_BINARY, xrefs: 00D10FD8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 83f8e562c74b058341d14d0533e85fa6af79d159c3857a435524b84040236dd4
Instruction ID: 7cfe72ab80653777a764f4683c07ce7e2343756e96b95ddd3a8a17e05c6c89cf
Opcode Fuzzy Hash: 83f8e562c74b058341d14d0533e85fa6af79d159c3857a435524b84040236dd4
Instruction Fuzzy Hash: AD026B75204651AFCB14EF18D885E6ABBE5EF88714F04845DF98A9B362CF30EC81DB91

Function 00CFF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00CFF37E
_wcscmp.LIBCMT ref: 00CFF393
_wcscmp.LIBCMT ref: 00CFF3AA

Part of subcall function 00CF45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CF45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00CFF3D9
FindClose.KERNEL32(00000000), ref: 00CFF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00CFF400
_wcscmp.LIBCMT ref: 00CFF427
_wcscmp.LIBCMT ref: 00CFF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00CFF450
SetCurrentDirectoryW.KERNEL32(00D4A5A0), ref: 00CFF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CFF478
FindClose.KERNEL32(00000000), ref: 00CFF485
FindClose.KERNEL32(00000000), ref: 00CFF497

Strings

*.*, xrefs: 00CFF3FB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b9279abe822bf53f88b7588b8822848058a55b0398fdcf7435ef918de3633b27
Instruction ID: 6d36c8e7148638b51fce6d53ddeb92dfb21a1f95b22c6fd833a93a8768aa3f96
Opcode Fuzzy Hash: b9279abe822bf53f88b7588b8822848058a55b0398fdcf7435ef918de3633b27
Instruction Fuzzy Hash: 9D31E57250121D7FDB10ABA4EC88AEE77ACDF09320F104179E920E31A0DB70DB4ADA65

Function 00CE81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CE8766
Part of subcall function 00CE874A: GetLastError.KERNEL32(?,00CE822A,?,?,?), ref: 00CE8770
Part of subcall function 00CE874A: GetProcessHeap.KERNEL32(00000008,?,?,00CE822A,?,?,?), ref: 00CE877F
Part of subcall function 00CE874A: HeapAlloc.KERNEL32(00000000,?,00CE822A,?,?,?), ref: 00CE8786
Part of subcall function 00CE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CE879D

Part of subcall function 00CE87E7: GetProcessHeap.KERNEL32(00000008,00CE8240,00000000,00000000,?,00CE8240,?), ref: 00CE87F3
Part of subcall function 00CE87E7: HeapAlloc.KERNEL32(00000000,?,00CE8240,?), ref: 00CE87FA
Part of subcall function 00CE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CE8240,?), ref: 00CE880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CE825B
_memset.LIBCMT ref: 00CE8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CE828F
GetLengthSid.ADVAPI32(?), ref: 00CE82A0
GetAce.ADVAPI32(?,00000000,?), ref: 00CE82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CE82F9
GetLengthSid.ADVAPI32(?), ref: 00CE8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CE8325
HeapAlloc.KERNEL32(00000000), ref: 00CE832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CE834D
CopySid.ADVAPI32(00000000), ref: 00CE8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CE8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CE83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CE83BF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: cf5f4dd720f11dbe14cdec3bafa51a966b72100211216d19c57e37d9d45c3ac7
Instruction ID: 8028e64637acc6c74fa2529551a26b647c0585ace21d460dc440902e4f953037
Opcode Fuzzy Hash: cf5f4dd720f11dbe14cdec3bafa51a966b72100211216d19c57e37d9d45c3ac7
Instruction Fuzzy Hash: 1C613B71900249BFDF00DFA5DC45AEEBBB9FF04700F148169F929E62A1DB319A09DB60

Function 00CA6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LF), xrefs: 00CE16DD
LIMIT_MATCH=, xrefs: 00CE15A9
UTF), xrefs: 00CE1533
UCP), xrefs: 00CE1546
ANY), xrefs: 00CE1717
UTF16), xrefs: 00CE1508
ANYCRLF), xrefs: 00CE1734
NO_START_OPT), xrefs: 00CE1588
BSR_ANYCRLF), xrefs: 00CE1757
BSR_UNICODE), xrefs: 00CE1771
LIMIT_RECURSION=, xrefs: 00CE1635
CRLF), xrefs: 00CE16FA
NO_AUTO_POSSESS), xrefs: 00CE1567
CR), xrefs: 00CE16C0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 80e86a215ec42d132dae8790793e23513c62f6412f921d5f69fa61ce1f116cb4
Instruction ID: 79db5bd1c179f7b44e8faf5478af316d9d8e280feb768448cbf085c25ff1b9ff
Opcode Fuzzy Hash: 80e86a215ec42d132dae8790793e23513c62f6412f921d5f69fa61ce1f116cb4
Instruction Fuzzy Hash: 2E728271E0025A9BDF24CF5AC8807AEB7B5FF49714F18816AE855EB290D7309E81DB90

Function 00D10665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D10038,?,?), ref: 00D110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D10737

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00D107D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00D1086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00D10AAD
RegCloseKey.ADVAPI32(00000000), ref: 00D10ABA

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 3b7ca90ba896af0497e1943b8c68378d5d56988fd2a468e301268f31ccc4af5e
Instruction ID: e57fc42601903b31f73e94d5152c97c31f9bcbf8f7fc62b3dd76476ada4b9fa4
Opcode Fuzzy Hash: 3b7ca90ba896af0497e1943b8c68378d5d56988fd2a468e301268f31ccc4af5e
Instruction Fuzzy Hash: B1E16F71204300AFCB14EF28D895E6ABBE4EF89714F08856DF449DB2A1DB70ED41DB61

Function 00CF0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CF0241
GetAsyncKeyState.USER32(000000A0), ref: 00CF02C2
GetKeyState.USER32(000000A0), ref: 00CF02DD
GetAsyncKeyState.USER32(000000A1), ref: 00CF02F7
GetKeyState.USER32(000000A1), ref: 00CF030C
GetAsyncKeyState.USER32(00000011), ref: 00CF0324
GetKeyState.USER32(00000011), ref: 00CF0336
GetAsyncKeyState.USER32(00000012), ref: 00CF034E
GetKeyState.USER32(00000012), ref: 00CF0360
GetAsyncKeyState.USER32(0000005B), ref: 00CF0378
GetKeyState.USER32(0000005B), ref: 00CF038A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eff441b8868f08fca591ae82d16f7dacbb609f847f9b4fddd19abf58c8e2973e
Instruction ID: ff577a879ad7b5f4b009cf3e772367ef8d57be2f26f312bd91d17ec9a9c9d522
Opcode Fuzzy Hash: eff441b8868f08fca591ae82d16f7dacbb609f847f9b4fddd19abf58c8e2973e
Instruction Fuzzy Hash: 7741A9245047CE6EFFB18B6488083B5BEA16B11B40F68805ED7D5466D3DBA45BC887B3

Function 00D086D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

CoInitialize.OLE32 ref: 00D08718
CoUninitialize.OLE32 ref: 00D08723
CoCreateInstance.OLE32(?,00000000,00000017,00D22BEC,?), ref: 00D08783
IIDFromString.OLE32(?,?), ref: 00D087F6
VariantInit.OLEAUT32(?), ref: 00D08890
VariantClear.OLEAUT32(?), ref: 00D088F1

Strings

Failed to create object, xrefs: 00D0878E, 00D08844
NULL Pointer assignment, xrefs: 00D087C8
Invalid parameter, xrefs: 00D0880F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9d4cea3382eb0b3a3e488e72b4a832f983ea68d7ff2cedbf9490f971d157542b
Instruction ID: 36d34fae1129da976dc6cbaadbcbf5338d47712981b99a454bbc938bf6f1643b
Opcode Fuzzy Hash: 9d4cea3382eb0b3a3e488e72b4a832f983ea68d7ff2cedbf9490f971d157542b
Instruction Fuzzy Hash: 3861B270608711AFD710DF64D848B6ABBE8EF88714F14491DF5C99B291CB70ED48EBA2

Function 00D04458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00D0447F
EmptyClipboard.USER32 ref: 00D04485
GlobalAlloc.KERNEL32(00000002,?), ref: 00D0449A
CloseClipboard.USER32 ref: 00D04539

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 30a8b688d0fe40390eb097d25bb473ca5b537d06313dfa0cf17bb3b4d826d784
Instruction ID: a5f5f4981403b607106a3d0e762ba30db835772fea1573e5b2cf9175775d33c0
Opcode Fuzzy Hash: 30a8b688d0fe40390eb097d25bb473ca5b537d06313dfa0cf17bb3b4d826d784
Instruction Fuzzy Hash: B2214B75200210AFDB10AF64EC49BA977A8EF14711F14802AF94ADB2A1CFB4E9019A69

Function 00CF3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C948A1,?,?,00C937C0,?), ref: 00C948CE

Part of subcall function 00CF4CD3: GetFileAttributesW.KERNEL32(?,00CF3947), ref: 00CF4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00CF3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00CF3B87
MoveFileW.KERNEL32(?,?), ref: 00CF3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00CF3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CF3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00CF3BF5

Strings

\*.*, xrefs: 00CF3A8A, 00CF3A93, 00CF3AA8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6108e9d3d29da4e1fde42eecf484b04855908f62a121e541c8c212dd0cab0418
Instruction ID: 5404811325acc4f29e2da233377a4408f5c0feed0e4cd3e67b2b1fa4890f0a00
Opcode Fuzzy Hash: 6108e9d3d29da4e1fde42eecf484b04855908f62a121e541c8c212dd0cab0418
Instruction Fuzzy Hash: 19515C3180624DABCF15EBE0CD969FDB778AF14300F6441A9E552B7191EF206F09EBA1

Function 00CFF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00CFF6AB
Sleep.KERNEL32(0000000A), ref: 00CFF6DB
_wcscmp.LIBCMT ref: 00CFF6EF
_wcscmp.LIBCMT ref: 00CFF70A
FindNextFileW.KERNEL32(?,?), ref: 00CFF7A8
FindClose.KERNEL32(00000000), ref: 00CFF7BE

Strings

*.*, xrefs: 00CFF690

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 37c1afd8b3ac10d50f1f273f6cc4a9a438cea6047e0047ac20f8589be6128247
Instruction ID: c557fca176050d31fe3f7ee360e1d3ad378568f3f69a566af67607bbde63f815
Opcode Fuzzy Hash: 37c1afd8b3ac10d50f1f273f6cc4a9a438cea6047e0047ac20f8589be6128247
Instruction Fuzzy Hash: EB41927190420EAFCF51EF64CC89AEEBBB4FF05310F14456AE915A31A0EB309E45DB61

Function 00CA4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00CD7B0C
VUUU, xrefs: 00CA44ED
ERCP, xrefs: 00CA421F
VUUU, xrefs: 00CA44DB
VUUU, xrefs: 00CA4520

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 21c2ad87ad62127e14c66f88a8394a789689400ca438d001f47206099a777b56
Instruction ID: 47cc312d95106832ff440d965a56e86da579846a12024f21deec0649df37dbdd
Opcode Fuzzy Hash: 21c2ad87ad62127e14c66f88a8394a789689400ca438d001f47206099a777b56
Instruction Fuzzy Hash: CEA2A270E0421ACBDF28CF59C9807ADB7B1FF95318F1482AAD925A7380E7749E85CB50

Function 00CA58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CA5A05
_memmove.LIBCMT ref: 00CA5A55
_memmove.LIBCMT ref: 00CA5ABB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c7159ec2b6b0728d9d3fd1818941c65e14d35e440a00ce4969fd812a7880ddf7
Instruction ID: 06d2702ccf58b82847e375af68bfab1dd05487f7fc84f36ae0876529d2e7c806
Opcode Fuzzy Hash: c7159ec2b6b0728d9d3fd1818941c65e14d35e440a00ce4969fd812a7880ddf7
Instruction Fuzzy Hash: 7612BC70A0060ADFDF14DFA5D985AEEB3B5FF48304F208129E806E7251EB35AE55DB60

Function 00CF545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CE8D0D
Part of subcall function 00CE8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CE8D3A
Part of subcall function 00CE8CC3: GetLastError.KERNEL32 ref: 00CE8D47

ExitWindowsEx.USER32(?,00000000), ref: 00CF549B

Strings

SeShutdownPrivilege, xrefs: 00CF546B
@, xrefs: 00CF548E
, xrefs: 00CF5489

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1536d45150568cdc06923e610fa817e3f34bed8fdfba88a5736474807c805595
Instruction ID: 822086e0b4df090fa626b417e8037d5e1f9757e2bd1ff6a481c0713aee7d0506
Opcode Fuzzy Hash: 1536d45150568cdc06923e610fa817e3f34bed8fdfba88a5736474807c805595
Instruction Fuzzy Hash: 34014732A54F196AE7A86779DC4ABBA7A58EB05343F200021FF1AE20D3DA500C8081A2

Function 00D06596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00D065EF
WSAGetLastError.WSOCK32(00000000), ref: 00D065FE
bind.WSOCK32(00000000,?,00000010), ref: 00D0661A
listen.WSOCK32(00000000,00000005), ref: 00D06629
WSAGetLastError.WSOCK32(00000000), ref: 00D06643
closesocket.WSOCK32(00000000,00000000), ref: 00D06657

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0085259b9013f4071a61fe19247bc7677081fe49f2786848c146c26d52e5510f
Instruction ID: 2048e52eecf3440c5a40c8825b03ab216f52982cd5f4b70cbd2be71fc059bcc0
Opcode Fuzzy Hash: 0085259b9013f4071a61fe19247bc7677081fe49f2786848c146c26d52e5510f
Instruction Fuzzy Hash: 3F219E30600200AFCB10EF68CC49B6EB7A9EF45320F1481A9E95AE73D1CB70ED01DB61

Function 00CA5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0FF6: std::exception::exception.LIBCMT ref: 00CB102C
Part of subcall function 00CB0FF6: __CxxThrowException@8.LIBCMT ref: 00CB1041

_memmove.LIBCMT ref: 00CE062F
_memmove.LIBCMT ref: 00CE0744
_memmove.LIBCMT ref: 00CE07EB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 5dfae506c957a28229501e0dde520b543f7e1a8fd450efc7b9d5cb636b682fbb
Instruction ID: 1ccf682731f293019baed7c049f87b0b4c7bfbb01637a847a77524e09226ecea
Opcode Fuzzy Hash: 5dfae506c957a28229501e0dde520b543f7e1a8fd450efc7b9d5cb636b682fbb
Instruction Fuzzy Hash: B602BFB0A00209DFCF04DF65D981AAEBBB5FF45300F2480A9E806DB295EB35DE55DB91

Function 00C91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C919FA
GetSysColor.USER32(0000000F), ref: 00C91A4E
SetBkColor.GDI32(?,00000000), ref: 00C91A61

Part of subcall function 00C91290: DefDlgProcW.USER32(?,00000020,?), ref: 00C912D8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 767e8ed8a32d7be578348f61e5d3cc856e559ec4b1b39af6995de361c62fbfa2
Instruction ID: 28329c1d90e58da5dc47e14a0835ca2296560bc418876b6680e72416d4332edb
Opcode Fuzzy Hash: 767e8ed8a32d7be578348f61e5d3cc856e559ec4b1b39af6995de361c62fbfa2
Instruction Fuzzy Hash: A8A14770115686FEEE28AB6A9C5FEBF359DDB42341F1C0119FC12D6292CE20CE41A2B5

Function 00D06A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D080CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00D06AB1
WSAGetLastError.WSOCK32(00000000), ref: 00D06ADA
bind.WSOCK32(00000000,?,00000010), ref: 00D06B13
WSAGetLastError.WSOCK32(00000000), ref: 00D06B20
closesocket.WSOCK32(00000000,00000000), ref: 00D06B34

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 59812a8b5735b9e57d7af8bb5f80a848d61d78031f6a712e51b79e763fcbb592
Instruction ID: 10e0634678c0f839712cc5834fe29836c3294fa9a3e86efac307c9c08a75f1a8
Opcode Fuzzy Hash: 59812a8b5735b9e57d7af8bb5f80a848d61d78031f6a712e51b79e763fcbb592
Instruction Fuzzy Hash: AF419075B00210AFEF10AF68DC8AF6E77A9DB45710F04805CF95AAB3D2DA749D01A7A1

Function 00D155FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00D1564C
IsWindowEnabled.USER32 ref: 00D1565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00D15667
IsIconic.USER32 ref: 00D15675
IsZoomed.USER32 ref: 00D15683

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2044346b3deabcc3b69fd61f2232a36ab6659a3a1e98e6c62c95cf9227fb7938
Instruction ID: 09233a2208770b5db23cd5994704d03a6d4c7da4fa092f27ea60223a2aa3bafc
Opcode Fuzzy Hash: 2044346b3deabcc3b69fd61f2232a36ab6659a3a1e98e6c62c95cf9227fb7938
Instruction Fuzzy Hash: 63119331700A11BFEB111F26FC44AAE7799EF94761B458029F446D7241CF38994286F5

Function 00D0C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CD1D88,?), ref: 00D0C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D0C324

Strings

GetSystemWow64DirectoryW, xrefs: 00D0C31E
kernel32.dll, xrefs: 00D0C30D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: fd05bb7005d311508fb78c24bba9a598a5a881414e0a073ffee7d0fd8943b182
Instruction ID: 5a4e8e50c3217429df5155c061050128c407a54ddb4e55b6986d307d9fda2739
Opcode Fuzzy Hash: fd05bb7005d311508fb78c24bba9a598a5a881414e0a073ffee7d0fd8943b182
Instruction Fuzzy Hash: C8E012B4620713EFDF204F69D804B8676D4EF19755F84D539E899D22A0EB74D881CB70

Function 00CA3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: a6c108cb6d0f2123319bf5657644cdf5a506f6ffb1c002d6805963fedbb7880f
Instruction ID: e166e3759e42b7b727991d0e34253b5733c29e0c0f3a19d0d773ae255e219bc5
Opcode Fuzzy Hash: a6c108cb6d0f2123319bf5657644cdf5a506f6ffb1c002d6805963fedbb7880f
Instruction Fuzzy Hash: A2228C716083829FCB24DF58C895B6FB7E4AF85304F144A1DF99697391EB30EA04DB92

Function 00D0F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00D0F151
Process32FirstW.KERNEL32(00000000,?), ref: 00D0F15F

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Process32NextW.KERNEL32(00000000,?), ref: 00D0F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00D0F22E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 00abb489fc4fe132150dd0e1a9e8d8e5c1e8db317e733c730294d083ff71d03e
Instruction ID: cfdefbd033aca1c7c304595859816afcf72fc36fd179f9947d0ae95309b16741
Opcode Fuzzy Hash: 00abb489fc4fe132150dd0e1a9e8d8e5c1e8db317e733c730294d083ff71d03e
Instruction Fuzzy Hash: 14516C71504300AFD720EF24DC89A6BB7E8EF95710F14492DF499D72A1EB70A908DBA2

Function 00CF40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00CF40D1
_memset.LIBCMT ref: 00CF40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00CF4144
CloseHandle.KERNEL32(00000000), ref: 00CF414D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: bbad0b4d48c59eac43548327e2a624e5f45f694867feca6872404329a1314889
Instruction ID: f18dedd2ad5fa1275c74e6dc7416aca1cd61a6e05903d20de1e5c28c8d20ccbd
Opcode Fuzzy Hash: bbad0b4d48c59eac43548327e2a624e5f45f694867feca6872404329a1314889
Instruction Fuzzy Hash: E611987590132C7AE7305BA5AC4DFEBBB7CEF44760F104196F918D7290D6744E808BA5

Function 00CEEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CEEB19

Strings

(, xrefs: 00CEEB5F
|, xrefs: 00CEEB49

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: f1f8ab0f8d4713986a5dd90281c7f024cb3ffb62bf8ace29f3d8f33611913377
Instruction ID: 04113c894e3f6f1947a523a68bee004fcb15b6016ddcf3368479dc5e1c3407b0
Opcode Fuzzy Hash: f1f8ab0f8d4713986a5dd90281c7f024cb3ffb62bf8ace29f3d8f33611913377
Instruction Fuzzy Hash: 36324775A007459FCB28CF5AC48196AB7F1FF48310B15C56EE8AADB3A1E770E941CB44

Function 00D025E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00D01AFE,00000000), ref: 00D026D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00D0270C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 12bdabf6eb9076f0aeb4c8a9679280930e6c75d4c6480ac585aa4a309f107e64
Instruction ID: 12d133f1672b40a931b13df849d10bdeeca081e68dc12632aaf09659dabae6c8
Opcode Fuzzy Hash: 12bdabf6eb9076f0aeb4c8a9679280930e6c75d4c6480ac585aa4a309f107e64
Instruction Fuzzy Hash: C541E571501309BFEB20DB94DC89FBBB7BCEB40724F54406AFA49A61C0EAB19E419674

Function 00CFB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CFB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CFB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00CFB655

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 05f6b4ae4ba0e20c892dc73cf3be090622b159d4d5d60154eb6509a7bd25f3bd
Instruction ID: 349d5451a0eabb9781cfe5e041c951eed3d4fb4a5e8cc2ddc55e2b34e04ea749
Opcode Fuzzy Hash: 05f6b4ae4ba0e20c892dc73cf3be090622b159d4d5d60154eb6509a7bd25f3bd
Instruction Fuzzy Hash: 37216035A00618EFCB00EF65D884AEDBBB8FF48310F1480A9E905EB351DB319956DB55

Function 00CE8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0FF6: std::exception::exception.LIBCMT ref: 00CB102C
Part of subcall function 00CB0FF6: __CxxThrowException@8.LIBCMT ref: 00CB1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CE8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CE8D3A
GetLastError.KERNEL32 ref: 00CE8D47

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: a9e38044eb9da866d38b03ea32712b51af7937e5a4964311f7d07fc869e1d179
Instruction ID: 9f0386f501439fe4d98b702df6cd9a6e5ab8aaa5066a4e2037a14b6af5692ce4
Opcode Fuzzy Hash: a9e38044eb9da866d38b03ea32712b51af7937e5a4964311f7d07fc869e1d179
Instruction Fuzzy Hash: C6118FB1514309AFD728EF95DC85DABB7B8EB44710B20852EF45A93241EF30AD458A60

Function 00CF4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00CF4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CF4C43
FreeSid.ADVAPI32(?), ref: 00CF4C53

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a66b1a5d5060fcb9d4daf38fecf700adba7367a37a0ce8751b285bb2c389ded8
Instruction ID: 5f0e7ca1139a1afb7b535f87f2f5645947c19b041cbbc74d197a12d336408268
Opcode Fuzzy Hash: a66b1a5d5060fcb9d4daf38fecf700adba7367a37a0ce8751b285bb2c389ded8
Instruction Fuzzy Hash: 67F04F7591130CBFDF04DFF0DC89AFEBBBCEF08211F004469A601E2291D6705A048B50

Function 00C9E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8159f3f21d5882a971d7387323be4e3ec690c14a6513613e06d453e454742db9
Instruction ID: bcff6e199a40e36b88dc62e9387cf665de7d3114ed7f9d5a6aed56b1f86a813a
Opcode Fuzzy Hash: 8159f3f21d5882a971d7387323be4e3ec690c14a6513613e06d453e454742db9
Instruction Fuzzy Hash: E322A070A00215DFDF24DF58C488ABEB7F0FF24300F14856AE9669B351E734AA81DB91

Function 00CFC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CFC966
FindClose.KERNEL32(00000000), ref: 00CFC996

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 20b6fdb8d13a8a79d882c2cbc2209df2ba5f746837d439bebf256eddeeb5b143
Instruction ID: d7875a23471d1176d39282b9c99cac945848786c9887ca4b8284569b374bee39
Opcode Fuzzy Hash: 20b6fdb8d13a8a79d882c2cbc2209df2ba5f746837d439bebf256eddeeb5b143
Instruction Fuzzy Hash: 14118E326106049FDB10EF29C849A2AF7E9EF94320F00851EF9A9D7291DB70AD01DB91

Function 00CFA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00D0977D,?,00D1FB84,?), ref: 00CFA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00D0977D,?,00D1FB84,?), ref: 00CFA314

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 801fb71a5b8e1c3221cb59471d81d7ade3866c29b937a20c404e452f6b29c3f3
Instruction ID: 040fbd1f5b9e261aaa22bd5fef1350d68d2a10787cff7ea6329e73b63e4ac5ba
Opcode Fuzzy Hash: 801fb71a5b8e1c3221cb59471d81d7ade3866c29b937a20c404e452f6b29c3f3
Instruction Fuzzy Hash: DAF0E23110432DBBDB109FA4CC48FEAB36CBF08361F008265F918D3291DA30D904CBA2

Function 00CE8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CE8851), ref: 00CE8728
CloseHandle.KERNEL32(?,?,00CE8851), ref: 00CE873A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9aada7b8c0fcdfb53b6bfa9b73357241dcfad0dfc87ebe69a68cb07961d4ec8f
Instruction ID: 2363b6d99ad0db7b89a3a06f6a4568108e09ff962f6c4544e237f173b407d435
Opcode Fuzzy Hash: 9aada7b8c0fcdfb53b6bfa9b73357241dcfad0dfc87ebe69a68cb07961d4ec8f
Instruction Fuzzy Hash: BFE0BF75010650EEE7252B61FC05DB777A9EB04350B148529F956C0470DB616C91DB10

Function 00CBA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00CB8F97,?,?,?,00000001), ref: 00CBA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00CBA3A3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7d25796e9ec0620042e23f7bfc0620d3edcadf7d0f9b84aa294d7a8091431ca
Instruction ID: eedabd6889ecf7083a5a24e7dab0a3cbba40043ff4e2403b85ce08e96e50a598
Opcode Fuzzy Hash: f7d25796e9ec0620042e23f7bfc0620d3edcadf7d0f9b84aa294d7a8091431ca
Instruction Fuzzy Hash: 36B09231054308FBCA002B91EC09BC83F68FB44BA2F408020F61DC4260CF6254528AA1

Function 00C9E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00CD428C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 064905e864e3dbe1455c0a065da6f2ea91932b5d43ee8c6d7cfa51fcb0cee465
Instruction ID: 12e97713b0207eba9c8612f8205d1e017b4055f9257c8116363e02b1923fbfa6
Opcode Fuzzy Hash: 064905e864e3dbe1455c0a065da6f2ea91932b5d43ee8c6d7cfa51fcb0cee465
Instruction Fuzzy Hash: 1EA29075A04205CFCF24CF99C488AADB7B1FF68310F24806AE916AB351D735EE42DB91

Function 00CBF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ef06372623738a1ff08a3b747d9920e5278a82b9d81d27a0312f58c8cb5bec
Instruction ID: 99bd46b8c9d56d5153dcf5497046abbded599a71c0a56cb58abd051bce3fc8ee
Opcode Fuzzy Hash: b0ef06372623738a1ff08a3b747d9920e5278a82b9d81d27a0312f58c8cb5bec
Instruction Fuzzy Hash: D732F122D69F414DD7339638DC32336A648AFB73C4F15D73BE829B5AA6EB28C5834110

Function 00CC267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9b5b77f35ecbb7e387df5ea700069a8755b4959b7f4965f62a0b8115ff5f65
Instruction ID: 7eba98ef3a59595623d98a16e0d1cc587a8c52615df3eab12536a399f94307f9
Opcode Fuzzy Hash: eb9b5b77f35ecbb7e387df5ea700069a8755b4959b7f4965f62a0b8115ff5f65
Instruction Fuzzy Hash: F0B1E031D2AF414ED223A639C831336B65CAFBB6D5F51D71BFC2AB4E22EB2185834141

Function 00CF8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00CF8B25

Part of subcall function 00CB543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00CF91F8,00000000,?,?,?,?,00CF93A9,00000000,?), ref: 00CB5443
Part of subcall function 00CB543A: __aulldiv.LIBCMT ref: 00CB5463

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f992fe2f735dfe98a1f3cec6d76194a7d325d7db728840d48a75460d16396f4b
Instruction ID: 92f12ac90cfdaa43a6fc2a8054ae21cc4561d1ec61fbefb829c55c0af0797670
Opcode Fuzzy Hash: f992fe2f735dfe98a1f3cec6d76194a7d325d7db728840d48a75460d16396f4b
Instruction Fuzzy Hash: AB21E472635610CBC729CF25D841B62B3E1EBA4311B288E6CE5F5CB2D0CA34B949CB94

Function 00D041FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00D04218

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ea82423c1dd2becd782be154cdf645db00802a1bde47a523e34e01d73d0fc830
Instruction ID: fbf840dcce335856e821ec31e1c173520062b6879cd6c414c90003f9b332e466
Opcode Fuzzy Hash: ea82423c1dd2becd782be154cdf645db00802a1bde47a523e34e01d73d0fc830
Instruction Fuzzy Hash: A8E048713402145FC710EF69D844E9AF7D8EF64760F008019FD49C7361DA70E8419BA5

Function 00CF4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00CF4EEC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 6dbfa6e5f347f83c739be99a5f686297d98b084485588a35c8893ed59c5b4022
Instruction ID: 3ecee1a1077b1d85021434406a795aada9daa1a28f70982d5b917ee0eb7a8758
Opcode Fuzzy Hash: 6dbfa6e5f347f83c739be99a5f686297d98b084485588a35c8893ed59c5b4022
Instruction Fuzzy Hash: 0FD0179816060D7AEA9C8B20985FFB78119B300781F91414AB312890C1D8906D956032

Function 00CE8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00CE88D1), ref: 00CE8CB3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c6b4511bc2a643b52829363c7e1f2a89b0a30a79e735b0cad58e10042e532ad3
Instruction ID: 7f8f0ff11ca3f1b35526b3e30408f5ed2eb9091e754d5d86ac7c0ff0c8353200
Opcode Fuzzy Hash: c6b4511bc2a643b52829363c7e1f2a89b0a30a79e735b0cad58e10042e532ad3
Instruction Fuzzy Hash: 4CD09E3226460EBBEF019FA4DD05EEE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00CD2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CD2242

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 34c552401bd1b25add4952ef80e454a3f770175da442bb53afa56c9ae51ba7ad
Instruction ID: d82740e216379f434f6cf0f038772e18c20e929e3d0d88a198806acc16192d6d
Opcode Fuzzy Hash: 34c552401bd1b25add4952ef80e454a3f770175da442bb53afa56c9ae51ba7ad
Instruction Fuzzy Hash: ECC04CF1800109EBDB05DB90D988DEE77BCAB08304F144156A541F2200D7749B448A71

Function 00CBA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00CBA36A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f168f9d16ff0477e63d5726c44c424e208a6ad793021655e311ca68303ce464f
Instruction ID: 9f635cd35b3949fcacad5d17a7bf85a231c082abf401fc55b71b3fd7518389ab
Opcode Fuzzy Hash: f168f9d16ff0477e63d5726c44c424e208a6ad793021655e311ca68303ce464f
Instruction Fuzzy Hash: 69A0113000020CBB8A002B82EC08888BFACEA002A0B008020F80C80222CB32A8228AA0

Function 00CA8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d924c9b12f842a9e64d9c6dfb5dca4d444b0000646e2c346c07177df593778
Instruction ID: d22806a044e10119b5402c1f599077f806b7e58cf61e26d7c4fb3bfd8e6a6ae6
Opcode Fuzzy Hash: e5d924c9b12f842a9e64d9c6dfb5dca4d444b0000646e2c346c07177df593778
Instruction Fuzzy Hash: 75222870901697CBDF288F1AC49467D77A1EB0331CF64446AD8668B291DB349F99CF60

Function 00CB2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c371436af95e23bc01c0e0a72bca9a3212bf6bd7224e0adcac496ce36ccbce1a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 98C1943220509309DF2D867AD4341BEBBE15EA27B176E075DE8B3DB5D4EF20D624E620

Function 00CB283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: cd9ad4211a732894beb7dcf699aa124cc9d3aa7a80765a0c746fd0b87aff0247
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 50C195332051930ADF2D467A94340BEBBE15BA27B175E076DE8B3DB5D4EF20D624E620

Function 00CB1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: af34f617cd3573e47758783c90ecb1a3cd1d53007b14248f3521274b74ee1c23
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B6C1833220519309DF6D467AD4340BEBBE15AA27B17AE076DECB3CB5D4EF20D624D620

Function 00D07B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D07B70
DeleteObject.GDI32(00000000), ref: 00D07B82
DestroyWindow.USER32 ref: 00D07B90
GetDesktopWindow.USER32 ref: 00D07BAA
GetWindowRect.USER32(00000000), ref: 00D07BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00D07CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00D07D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07D4A
GetClientRect.USER32(00000000,?), ref: 00D07D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00D07D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07DD0
GlobalLock.KERNEL32(00000000), ref: 00D07DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07DE8
GlobalUnlock.KERNEL32(00000000), ref: 00D07DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07DF8
GlobalFree.KERNEL32(00000000), ref: 00D07E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00D22CAC,00000000), ref: 00D07E2B
GlobalFree.KERNEL32(00000000), ref: 00D07E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00D07E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00D07E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D07EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00D0808F

Strings

DISPLAY, xrefs: 00D07EF2
AutoIt v3, xrefs: 00D07D42
static, xrefs: 00D07D8A, 00D07EE1
, xrefs: 00D08015

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 2b74630683fdd923a86445d28b0f68ce9ccfb1482ba8c1c4389f4c35b4d9535a
Instruction ID: 1e5bf4c780d4d0be8c7d1a3020e03823864bbc9af53fcd87b740fc5e475185cc
Opcode Fuzzy Hash: 2b74630683fdd923a86445d28b0f68ce9ccfb1482ba8c1c4389f4c35b4d9535a
Instruction Fuzzy Hash: 89024B71900215BFDB14DFA8DC89EAE7BB9EB48311F148158F919EB2A1CB70AD41CB74

Function 00D137F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00D1F910), ref: 00D138AF
IsWindowVisible.USER32(?), ref: 00D138D3

Strings

GETSELECTED, xrefs: 00D13B2B
SELECTSTRING, xrefs: 00D13A8E
ADDSTRING, xrefs: 00D1399E
DELSTRING, xrefs: 00D139D1
ISCHECKED, xrefs: 00D13AC1
ISVISIBLE, xrefs: 00D138BF
GETLINE, xrefs: 00D13C23
TABRIGHT, xrefs: 00D13925
FINDSTRING, xrefs: 00D139FE
GETCURRENTCOL, xrefs: 00D13BB0
GETLINECOUNT, xrefs: 00D13B4E
GETCURRENTLINE, xrefs: 00D13B75
GETCURRENTSELECTION, xrefs: 00D13A6B
CHECK, xrefs: 00D13AF5
SENDCOMMANDID, xrefs: 00D13C62
EDITPASTE, xrefs: 00D13BE7
HIDEDROPDOWN, xrefs: 00D13988
SETCURRENTSELECTION, xrefs: 00D13A3E
UNCHECK, xrefs: 00D13B0B
SHOWDROPDOWN, xrefs: 00D13968
CURRENTTAB, xrefs: 00D13945
ISENABLED, xrefs: 00D138F3
TABLEFT, xrefs: 00D1390F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 320d7472419cfa0fbda28a6c5aab5f610daed6aff1d5b20660ad5de6bdb9a7a5
Instruction ID: 9a7d41564ef62f4546869e844960369de3dd7668e11f6dbe1055cf7621551d23
Opcode Fuzzy Hash: 320d7472419cfa0fbda28a6c5aab5f610daed6aff1d5b20660ad5de6bdb9a7a5
Instruction Fuzzy Hash: 61D17F30204305ABCB14EF25D455AAE77A6EF54354F14845CF8865B3E2CF31EE8ADBA1

Function 00D1A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00D1A89F
GetSysColorBrush.USER32(0000000F), ref: 00D1A8D0
GetSysColor.USER32(0000000F), ref: 00D1A8DC
SetBkColor.GDI32(?,000000FF), ref: 00D1A8F6
SelectObject.GDI32(?,?), ref: 00D1A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00D1A930
GetSysColor.USER32(00000010), ref: 00D1A938
CreateSolidBrush.GDI32(00000000), ref: 00D1A93F
FrameRect.USER32(?,?,00000000), ref: 00D1A94E
DeleteObject.GDI32(00000000), ref: 00D1A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00D1A9A0
FillRect.USER32(?,?,?), ref: 00D1A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00D1A9FD

Part of subcall function 00D1AB60: GetSysColor.USER32(00000012), ref: 00D1AB99
Part of subcall function 00D1AB60: SetTextColor.GDI32(?,?), ref: 00D1AB9D
Part of subcall function 00D1AB60: GetSysColorBrush.USER32(0000000F), ref: 00D1ABB3
Part of subcall function 00D1AB60: GetSysColor.USER32(0000000F), ref: 00D1ABBE
Part of subcall function 00D1AB60: GetSysColor.USER32(00000011), ref: 00D1ABDB
Part of subcall function 00D1AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D1ABE9
Part of subcall function 00D1AB60: SelectObject.GDI32(?,00000000), ref: 00D1ABFA
Part of subcall function 00D1AB60: SetBkColor.GDI32(?,00000000), ref: 00D1AC03
Part of subcall function 00D1AB60: SelectObject.GDI32(?,?), ref: 00D1AC10
Part of subcall function 00D1AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00D1AC2F
Part of subcall function 00D1AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D1AC46
Part of subcall function 00D1AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00D1AC5B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ffaf80e70b978a9b6caf86091a116e40742f2722bf0eb931c76a806140134a82
Instruction ID: 2d69380bf9bb39f68a59a31c9c517f92048f558312e231e717a2528eab0ce7ae
Opcode Fuzzy Hash: ffaf80e70b978a9b6caf86091a116e40742f2722bf0eb931c76a806140134a82
Instruction Fuzzy Hash: A5A18271009301FFD7119F68EC08A9B7BA9FF88321F144A29F956D62E1DB31D985CB62

Function 00D077BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00D077F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00D078B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00D078EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00D07900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00D07946
GetClientRect.USER32(00000000,?), ref: 00D07952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00D07996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00D079A5
GetStockObject.GDI32(00000011), ref: 00D079B5
SelectObject.GDI32(00000000,00000000), ref: 00D079B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00D079C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D079D2
DeleteDC.GDI32(00000000), ref: 00D079DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00D07A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00D07A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00D07A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00D07A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00D07A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00D07AAE
GetStockObject.GDI32(00000011), ref: 00D07AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00D07AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00D07ACE

Strings

DISPLAY, xrefs: 00D0799B
AutoIt v3, xrefs: 00D0793E
msctls_progress32, xrefs: 00D07A4F
static, xrefs: 00D07990, 00D07AA8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1ab155b7cb5d6628bc83b491e4bf89811f2b46b6508d86d7e512704c0dfe66e8
Instruction ID: 526aaed7804148c077480842a3f62ab47eb021b8352f8b21196d4380df7fffeb
Opcode Fuzzy Hash: 1ab155b7cb5d6628bc83b491e4bf89811f2b46b6508d86d7e512704c0dfe66e8
Instruction Fuzzy Hash: 43A14F71A40315BFEB149BA8DC4AFAE7BA9EB44711F048114FA19E72E0DA70AD41CB74

Function 00CFAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CFAF89
GetDriveTypeW.KERNEL32(?,00D1FAC0,?,\\.\,00D1F910), ref: 00CFB066
SetErrorMode.KERNEL32(00000000,00D1FAC0,?,\\.\,00D1F910), ref: 00CFB1C4

Strings

SCSI, xrefs: 00CFB131
\\.\, xrefs: 00CFAFDB
PhysicalDrive, xrefs: 00CFB012
Fixed, xrefs: 00CFB0AE
SAS, xrefs: 00CFB170
RAMDisk, xrefs: 00CFB090
Fibre, xrefs: 00CFB154
SSD, xrefs: 00CFB0F1
Unknown, xrefs: 00CFB086, 00CFB12A
Removable, xrefs: 00CFB0B8
MMC, xrefs: 00CFB185
USB, xrefs: 00CFB15B
SATA, xrefs: 00CFB177
1394, xrefs: 00CFB146
CDROM, xrefs: 00CFB09A
FileBackedVirtual, xrefs: 00CFB193
iSCSI, xrefs: 00CFB169
SSA, xrefs: 00CFB14D
ATAPI, xrefs: 00CFB138
RAID, xrefs: 00CFB162
ATA, xrefs: 00CFB13F
Network, xrefs: 00CFB0A4
Virtual, xrefs: 00CFB18C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 48073d6b63422bfe04bcaa2dc0bd1a3cc37acdb7b82e2e99f7792e95fc6d9cd2
Instruction ID: 950a430734b34aedddef938eef83024c53270f40b015eed63c361f24ae716697
Opcode Fuzzy Hash: 48073d6b63422bfe04bcaa2dc0bd1a3cc37acdb7b82e2e99f7792e95fc6d9cd2
Instruction Fuzzy Hash: C151D3706C430DAFCB54EB59C992DBD73B0EB14381720C116F61AAB290CB759E49EB63

Function 00C96A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C96A91
__wcsnicmp.LIBCMT ref: 00C96AA9
__wcsnicmp.LIBCMT ref: 00C96AC1
__wcsnicmp.LIBCMT ref: 00C96AD9
__wcsnicmp.LIBCMT ref: 00C96AF1
__wcsnicmp.LIBCMT ref: 00C96B09
__wcsnicmp.LIBCMT ref: 00C96B21
__wcsnicmp.LIBCMT ref: 00C96B35
__wcsnicmp.LIBCMT ref: 00C96B76
__wcsnicmp.LIBCMT ref: 00C96B8A
__wcsnicmp.LIBCMT ref: 00C96B9E
__wcsnicmp.LIBCMT ref: 00C96BB2

Strings

#include, xrefs: 00C96B03
#ce, xrefs: 00C96BAC
#OnAutoItStartRegister, xrefs: 00C96AD3
#comments-start, xrefs: 00C96B1B, 00C96B70
#requireadmin, xrefs: 00C96ABB
#cs, xrefs: 00C96B2F, 00C96B84
Cannot parse #include, xrefs: 00CCE819
#pragma compile, xrefs: 00C96A8B
#notrayicon, xrefs: 00C96AA3
Unterminated group of comments, xrefs: 00CCE82C
Bad directive syntax error, xrefs: 00CCE743
#include-once, xrefs: 00C96AEB
#comments-end, xrefs: 00C96B98

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d715640452faf19cedbd5b37576cbe854f96d1d0993de62b91e1178a28441a39
Instruction ID: 6bc64124384b4512de7d24d7c39fee1630319b5f7d71decd4f88f6aa14833b72
Opcode Fuzzy Hash: d715640452faf19cedbd5b37576cbe854f96d1d0993de62b91e1178a28441a39
Instruction Fuzzy Hash: 7B8124B1600255BBCF21AB60DD9AFFE7768AF11700F144028F945AA1C2EF60DB45F2A1

Function 00D19C8B Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00D19D41
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00D19DFA
SendMessageW.USER32(?,00001102,00000002,?), ref: 00D19E16

Strings

0, xrefs: 00D19E53

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: d9715d62672ba19aa24dc466326eaf50a63231e4deee29ee26b6e1605f51cd77
Instruction ID: 98d68c5c2d495f9a2e37f591a5920a307cbcf6edafa6b65b7738b8480767bb47
Opcode Fuzzy Hash: d9715d62672ba19aa24dc466326eaf50a63231e4deee29ee26b6e1605f51cd77
Instruction Fuzzy Hash: 6502BF70209301BFD715CF28E858BEABBE5FF49314F088529F895D62A1CB35D985CB62

Function 00D1AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00D1AB99
SetTextColor.GDI32(?,?), ref: 00D1AB9D
GetSysColorBrush.USER32(0000000F), ref: 00D1ABB3
GetSysColor.USER32(0000000F), ref: 00D1ABBE
CreateSolidBrush.GDI32(?), ref: 00D1ABC3
GetSysColor.USER32(00000011), ref: 00D1ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D1ABE9
SelectObject.GDI32(?,00000000), ref: 00D1ABFA
SetBkColor.GDI32(?,00000000), ref: 00D1AC03
SelectObject.GDI32(?,?), ref: 00D1AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00D1AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D1AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00D1AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00D1ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00D1ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00D1ACEC
DrawFocusRect.USER32(?,?), ref: 00D1ACF7
GetSysColor.USER32(00000011), ref: 00D1AD05
SetTextColor.GDI32(?,00000000), ref: 00D1AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00D1AD21
SelectObject.GDI32(?,00D1A869), ref: 00D1AD38
DeleteObject.GDI32(?), ref: 00D1AD43
SelectObject.GDI32(?,?), ref: 00D1AD49
DeleteObject.GDI32(?), ref: 00D1AD4E
SetTextColor.GDI32(?,?), ref: 00D1AD54
SetBkColor.GDI32(?,?), ref: 00D1AD5E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6e7dcc9bfabdb9abb3de0ebccf05bd66ccced2a9eef4ca74c3cd3ec5be114349
Instruction ID: 76b148438eb0b930ffb9fb833d375e2815594d433cc91db0ed1637419cddf16d
Opcode Fuzzy Hash: 6e7dcc9bfabdb9abb3de0ebccf05bd66ccced2a9eef4ca74c3cd3ec5be114349
Instruction Fuzzy Hash: D7615171901218FFDB119FA8DC48EEE7B7AEB08320F148125F915EB2A1DB759D41DBA0

Function 00D18C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00D18D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D18D45
CharNextW.USER32(0000014E), ref: 00D18D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00D18DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00D18DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D18DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00D18DF9
SetWindowTextW.USER32(?,0000014E), ref: 00D18E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00D18E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D18E8C
_memset.LIBCMT ref: 00D18EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00D18EFA
_memset.LIBCMT ref: 00D18F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D18F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00D18FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00D19088
InvalidateRect.USER32(?,00000000,00000001), ref: 00D190AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D190F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00D19121
DrawMenuBar.USER32(?), ref: 00D19130
SetWindowTextW.USER32(?,0000014E), ref: 00D19158

Strings

0, xrefs: 00D190C2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: fd46d26439916f34ead5a8f987023655710c2839d52a419f6fe7a2fcdc57ed21
Instruction ID: f7210f3c31362529421a225b69b78b209f72e0d9799bc502a7c0a8d220007d59
Opcode Fuzzy Hash: fd46d26439916f34ead5a8f987023655710c2839d52a419f6fe7a2fcdc57ed21
Instruction Fuzzy Hash: 98E15D70900319BADF20DF64EC88AEEBB79EF15710F148155F9559A290DF708AC5AB70

Function 00D14B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D14C51
GetDesktopWindow.USER32 ref: 00D14C66
GetWindowRect.USER32(00000000), ref: 00D14C6D
GetWindowLongW.USER32(?,000000F0), ref: 00D14CCF
DestroyWindow.USER32(?), ref: 00D14CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D14D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D14D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00D14D68
SendMessageW.USER32(?,00000421,?,?), ref: 00D14D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00D14D90
IsWindowVisible.USER32(?), ref: 00D14DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00D14DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00D14DDF
GetWindowRect.USER32(?,?), ref: 00D14DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00D14E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00D14E37
CopyRect.USER32(?,?), ref: 00D14E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00D14EB9

Strings

(, xrefs: 00D14E2A
0, xrefs: 00D14BFC
tooltips_class32, xrefs: 00D14D1D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d2d7ba3618e98e43cbdb667e8b6a8b244be4406fe5685337a99e0f0cc0da5006
Instruction ID: 6ee40fb1b6aa8472eada708b658c8a1da6fdf2ead8116bbfef81ce9704bf002f
Opcode Fuzzy Hash: d2d7ba3618e98e43cbdb667e8b6a8b244be4406fe5685337a99e0f0cc0da5006
Instruction Fuzzy Hash: DCB1AF71608341AFDB04DF68D948BAABBE5FF84710F00891CF5999B2A1DB71EC45CBA1

Function 00CF46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CF46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CF470E
_wcscpy.LIBCMT ref: 00CF473C
_wcscmp.LIBCMT ref: 00CF4747
_wcscat.LIBCMT ref: 00CF475D
_wcsstr.LIBCMT ref: 00CF4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CF4784
_wcscat.LIBCMT ref: 00CF47CD
_wcscat.LIBCMT ref: 00CF47D4
_wcsncpy.LIBCMT ref: 00CF47FF

Strings

DefaultLangCodepage, xrefs: 00CF47E7
\VarFileInfo\Translation, xrefs: 00CF477C
04090000, xrefs: 00CF47BA
StringFileInfo\, xrefs: 00CF4757
%u.%u.%u.%u, xrefs: 00CF4862

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 08d61eabf6fdd01c8b7244e5a0a43fdc42f80d1698c28f6f9805e2a69a1d16d9
Instruction ID: 1013d39451641ea95523cfb04e35bb739b3344362f3d5d25a916bb1a51b8e5a6
Opcode Fuzzy Hash: 08d61eabf6fdd01c8b7244e5a0a43fdc42f80d1698c28f6f9805e2a69a1d16d9
Instruction Fuzzy Hash: 82412732A402147FEB15BBA49C47EFF77ACDF02750F04016AF904E6182EF749A01A6B6

Function 00C927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C928BC
GetSystemMetrics.USER32(00000007), ref: 00C928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C928EF
GetSystemMetrics.USER32(00000008), ref: 00C928F7
GetSystemMetrics.USER32(00000004), ref: 00C9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C92990
GetClientRect.USER32(00000000,000000FF), ref: 00C929AE
GetStockObject.GDI32(00000011), ref: 00C929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C929D5

Part of subcall function 00C92344: GetCursorPos.USER32(?), ref: 00C92357
Part of subcall function 00C92344: ScreenToClient.USER32(00D567B0,?), ref: 00C92374
Part of subcall function 00C92344: GetAsyncKeyState.USER32(00000001), ref: 00C92399
Part of subcall function 00C92344: GetAsyncKeyState.USER32(00000002), ref: 00C923A7

SetTimer.USER32(00000000,00000000,00000028,00C91256), ref: 00C929FC

Strings

AutoIt v3 GUI, xrefs: 00C92974

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7ce9e0e4b07daea03e9a5790aefa77560841277ec707bb85b50e882d83098cc3
Instruction ID: ccd29b61adfead61c79f7d2bc07f39afa213b1c2de6d0fc809b87a316ebc10df
Opcode Fuzzy Hash: 7ce9e0e4b07daea03e9a5790aefa77560841277ec707bb85b50e882d83098cc3
Instruction Fuzzy Hash: FEB14B71A0034AAFDF14DFA8D889BE97BA5FB08311F108129FA55E72A0DB74D941CB60

Function 00D14069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D140F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D141B6

Strings

GETSELECTED, xrefs: 00D142E4
SELECTINVERT, xrefs: 00D14286
DESELECT, xrefs: 00D142A4
VIEWCHANGE, xrefs: 00D14375
SELECTALL, xrefs: 00D1421D
SELECTCLEAR, xrefs: 00D14235
GETSUBITEMCOUNT, xrefs: 00D14141
GETTEXT, xrefs: 00D1415F
GETITEMCOUNT, xrefs: 00D14128
GETSELECTEDCOUNT, xrefs: 00D14199
ISSELECTED, xrefs: 00D141C1
SELECT, xrefs: 00D14250
FINDITEM, xrefs: 00D14329

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: f8697e055ae0bc0c6dc79e61606686c28353c12851973fe0ec7d164dee29827a
Instruction ID: 1819fe99595dcda1f594f2c6bc397b0f17715385b73cada462bbd5c42b258a28
Opcode Fuzzy Hash: f8697e055ae0bc0c6dc79e61606686c28353c12851973fe0ec7d164dee29827a
Instruction Fuzzy Hash: D2A19230214341AFCB14EF24D951AAAB3A5FF94314F14896DB8AA9B3D2DF30EC45DB61

Function 00D052F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00D05309
LoadCursorW.USER32(00000000,00007F8A), ref: 00D05314
LoadCursorW.USER32(00000000,00007F00), ref: 00D0531F
LoadCursorW.USER32(00000000,00007F03), ref: 00D0532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00D05335
LoadCursorW.USER32(00000000,00007F01), ref: 00D05340
LoadCursorW.USER32(00000000,00007F81), ref: 00D0534B
LoadCursorW.USER32(00000000,00007F88), ref: 00D05356
LoadCursorW.USER32(00000000,00007F80), ref: 00D05361
LoadCursorW.USER32(00000000,00007F86), ref: 00D0536C
LoadCursorW.USER32(00000000,00007F83), ref: 00D05377
LoadCursorW.USER32(00000000,00007F85), ref: 00D05382
LoadCursorW.USER32(00000000,00007F82), ref: 00D0538D
LoadCursorW.USER32(00000000,00007F84), ref: 00D05398
LoadCursorW.USER32(00000000,00007F04), ref: 00D053A3
LoadCursorW.USER32(00000000,00007F02), ref: 00D053AE
GetCursorInfo.USER32(?), ref: 00D053BE
GetLastError.KERNEL32(00000001,00000000), ref: 00D053E9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: f9e95a8b6ce398b83f43fa41075fa03fd2ac48de80cb11e3e90498c2c2b63129
Instruction ID: a857054df352870d4c639f47b34987cbdc3c220366687964adce15ef67de1a60
Opcode Fuzzy Hash: f9e95a8b6ce398b83f43fa41075fa03fd2ac48de80cb11e3e90498c2c2b63129
Instruction Fuzzy Hash: E5416270E043196ADB109FBA9C499AFFFF8EF51B50B10452FE509E72D1DAB8A401CE61

Function 00CEAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CEAAA5
__swprintf.LIBCMT ref: 00CEAB46
_wcscmp.LIBCMT ref: 00CEAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CEABAE
_wcscmp.LIBCMT ref: 00CEABEA
GetClassNameW.USER32(?,?,00000400), ref: 00CEAC21
GetDlgCtrlID.USER32(?), ref: 00CEAC73
GetWindowRect.USER32(?,?), ref: 00CEACA9
GetParent.USER32(?), ref: 00CEACC7
ScreenToClient.USER32(00000000), ref: 00CEACCE
GetClassNameW.USER32(?,?,00000100), ref: 00CEAD48
_wcscmp.LIBCMT ref: 00CEAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00CEAD82
_wcscmp.LIBCMT ref: 00CEAD96

Part of subcall function 00CB386C: _iswctype.LIBCMT ref: 00CB3874

Strings

%s%u, xrefs: 00CEAB40

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5472bafaa49d5dc747cd91e2669fd753dfe9bb2ed81a51ffc2ce0a470d4b3e02
Instruction ID: c4644c8467ef7be84ddddf7bf734852b44e9f720421fa75c832740815292476c
Opcode Fuzzy Hash: 5472bafaa49d5dc747cd91e2669fd753dfe9bb2ed81a51ffc2ce0a470d4b3e02
Instruction Fuzzy Hash: 02A1C271204386AFD714DF26C884BEAB7E8FF04315F108629F9A9D2190DB30FA55DB92

Function 00CEB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00CEB3DB
_wcscmp.LIBCMT ref: 00CEB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00CEB414
CharUpperBuffW.USER32(?,00000000), ref: 00CEB431
_wcscmp.LIBCMT ref: 00CEB44F
_wcsstr.LIBCMT ref: 00CEB460
GetClassNameW.USER32(00000018,?,00000400), ref: 00CEB498
_wcscmp.LIBCMT ref: 00CEB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00CEB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00CEB518
_wcscmp.LIBCMT ref: 00CEB528
GetClassNameW.USER32(00000010,?,00000400), ref: 00CEB550
GetWindowRect.USER32(00000004,?), ref: 00CEB5B9

Strings

@, xrefs: 00CEB3BC
ThumbnailClass, xrefs: 00CEB4A3, 00CEB523

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 9cc9e98adb10a9009425fa93f463a6ffcdea6c8aaba59b2f8ea077860d44ca51
Instruction ID: 90e85bab75cb67630a6e6e9999c7f225d382410bde1353eb2634febb8b03e6cd
Opcode Fuzzy Hash: 9cc9e98adb10a9009425fa93f463a6ffcdea6c8aaba59b2f8ea077860d44ca51
Instruction Fuzzy Hash: 6681DE710083869BDB04CF12C885FBB7BE8EF44314F048569FD999A0A6DB34DE46CBA1

Function 00CEB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CEB23F

Strings

[HANDLE:, xrefs: 00CEB24B
HANDLE=, xrefs: 00CEB238
ACTIVE, xrefs: 00CEB21A
LAST, xrefs: 00CEB204
REGEXP=, xrefs: 00CEB254
[ALL, xrefs: 00CEB2E5
[LAST, xrefs: 00CEB2EC
[ACTIVE, xrefs: 00CEB22C
[CLASS:, xrefs: 00CEB28F
ALL, xrefs: 00CEB2D3
[REGEXPTITLE:, xrefs: 00CEB267
CLASSNAME=, xrefs: 00CEB27C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 9db5248f54de443a0098a1cbb06a0f07b4bfd8bb398434756bbc465ffc9d5151
Instruction ID: b9d4b749c5e647be6629068aaf501835e8dc954376a15f215a4ec2b9d295fde3
Opcode Fuzzy Hash: 9db5248f54de443a0098a1cbb06a0f07b4bfd8bb398434756bbc465ffc9d5151
Instruction Fuzzy Hash: 6D318131A44285ABDF14FBA2CD57EFFB7A89F20750F600125B551710E2EF616F08E661

Function 00CEC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CEC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CEC4E6
SetWindowTextW.USER32(?,?), ref: 00CEC4FD
GetDlgItem.USER32(?,000003EA), ref: 00CEC512
SetWindowTextW.USER32(00000000,?), ref: 00CEC518
GetDlgItem.USER32(?,000003E9), ref: 00CEC528
SetWindowTextW.USER32(00000000,?), ref: 00CEC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CEC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CEC569
GetWindowRect.USER32(?,?), ref: 00CEC572
SetWindowTextW.USER32(?,?), ref: 00CEC5DD
GetDesktopWindow.USER32 ref: 00CEC5E3
GetWindowRect.USER32(00000000), ref: 00CEC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00CEC636
GetClientRect.USER32(?,?), ref: 00CEC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00CEC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CEC693

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7b37d3afdb14dae72a930af30f15bb45fe250390e0de818fee52096ce8d02016
Instruction ID: 423cc8b295017111a2d325af8d5a77a3e7d4605000ba15729a82a0734dccd0fd
Opcode Fuzzy Hash: 7b37d3afdb14dae72a930af30f15bb45fe250390e0de818fee52096ce8d02016
Instruction Fuzzy Hash: 96517071900709AFDB20DFA9DD85BAFBBF5FF04705F004528E656A26A0CB74B906DB50

Function 00D1A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D1A4C8
DestroyWindow.USER32(?,?), ref: 00D1A542

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D1A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D1A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D1A5F1
DestroyWindow.USER32(00000000), ref: 00D1A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C90000,00000000), ref: 00D1A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D1A663
GetDesktopWindow.USER32 ref: 00D1A67C
GetWindowRect.USER32(00000000), ref: 00D1A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D1A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D1A6B3

Part of subcall function 00C925DB: GetWindowLongW.USER32(?,000000EB), ref: 00C925EC

Strings

0, xrefs: 00D1A4DE
tooltips_class32, xrefs: 00D1A5B5, 00D1A643

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7e7fdec1fa46ca711dc3acf4dde7df75eb1391b0bf827b942c666506fb81f950
Instruction ID: 39094d0e9d2af4d9bb748a8645d8f09b122ccdecfe5ffd7796c247318c746d89
Opcode Fuzzy Hash: 7e7fdec1fa46ca711dc3acf4dde7df75eb1391b0bf827b942c666506fb81f950
Instruction Fuzzy Hash: 26718D71244705AFD720CF28DC49FAA7BE6EB88301F48452DF985873A0DB70E946CB22

Function 00D1C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

DragQueryPoint.SHELL32(?,?), ref: 00D1C917

Part of subcall function 00D1ADF1: ClientToScreen.USER32(?,?), ref: 00D1AE1A
Part of subcall function 00D1ADF1: GetWindowRect.USER32(?,?), ref: 00D1AE90
Part of subcall function 00D1ADF1: PtInRect.USER32(?,?,00D1C304), ref: 00D1AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00D1C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D1C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D1C9AE
_wcscat.LIBCMT ref: 00D1C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D1C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00D1CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00D1CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00D1CA47
DragFinish.SHELL32(?), ref: 00D1CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00D1CB41

Strings

@GUI_DROPID, xrefs: 00D1CA6E
@GUI_DRAGFILE, xrefs: 00D1CAF0
@GUI_DRAGID, xrefs: 00D1CAB9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 4d14b8a17975cd0ae95f7cbf254ded05ba7f24832d147812efe65d5647d63cba
Instruction ID: 89a76a2079911030429f0c24ed00fb86003ef496a0dcaf3845c01cc487be82a4
Opcode Fuzzy Hash: 4d14b8a17975cd0ae95f7cbf254ded05ba7f24832d147812efe65d5647d63cba
Instruction Fuzzy Hash: 34616B71108300AFCB01DF64DC89D9FBBE8EF99710F404A2EF595972A1DB709A49DB62

Function 00D14619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00D146AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D146F6

Strings

GETTEXT, xrefs: 00D14849
GETSELECTED, xrefs: 00D14806
CHECK, xrefs: 00D14716
GETITEMCOUNT, xrefs: 00D147D8
ISCHECKED, xrefs: 00D14879
UNCHECK, xrefs: 00D148D2
EXISTS, xrefs: 00D1475F
EXPAND, xrefs: 00D147A8
GETTOTALCOUNT, xrefs: 00D146DD
SELECT, xrefs: 00D148A7
COLLAPSE, xrefs: 00D1473C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ff1e088d10d41f18993aa81613f9486b207d42b7dffa808cee4c27abb7e77850
Instruction ID: 1dc8cbde4037f8816e99e711cae4a1cb132eb1286aeef4608e664bc7e9de215a
Opcode Fuzzy Hash: ff1e088d10d41f18993aa81613f9486b207d42b7dffa808cee4c27abb7e77850
Instruction Fuzzy Hash: 64916E74204701AFCB14EF24D451AAEB7A5EF94314F14845DF89A5B3A2CF30ED4AEBA1

Function 00D1BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D1BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D19431), ref: 00D1BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D1BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D1BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D1BC7D
FreeLibrary.KERNEL32(?), ref: 00D1BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D1BC99
DestroyIcon.USER32(?,?,?,?,?,00D19431), ref: 00D1BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D1BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D1BCD1

Part of subcall function 00CB313D: __wcsicmp_l.LIBCMT ref: 00CB31C6

Strings

.exe, xrefs: 00D1BB04
.dll, xrefs: 00D1BB27
.icl, xrefs: 00D1BAE4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 254b18aa311b128c506f85845ceb55cce8807049698d8d046e19f13cc5e4a6da
Instruction ID: 6f4f646006cb07330a9f9246edafa6ef91908f2514500bbc6fff5f82947336c8
Opcode Fuzzy Hash: 254b18aa311b128c506f85845ceb55cce8807049698d8d046e19f13cc5e4a6da
Instruction Fuzzy Hash: 5461CE71600619BAEB14DF74DC45BFE77A8EB08721F10821AF815D61C1DF74A984DBB0

Function 00CFA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

CharLowerBuffW.USER32(?,?), ref: 00CFA636
GetDriveTypeW.KERNEL32 ref: 00CFA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CFA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CFA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CFA730

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Strings

close cd wait, xrefs: 00CFA71B
set cd door , xrefs: 00CFA6D1
wait, xrefs: 00CFA6ED
close, xrefs: 00CFA63C
open, xrefs: 00CFA65D
closed, xrefs: 00CFA64A, 00CFA653
type cdaudio alias cd wait, xrefs: 00CFA6AE
open , xrefs: 00CFA692

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 2c39726c5a8d7bf66e9f61d7ffb065ab33dc94e1473501ba368500829182d9d2
Instruction ID: a79e905513b515b6aa29ab77484f3d3e32017f0020415ea11f5c187b59fda3a7
Opcode Fuzzy Hash: 2c39726c5a8d7bf66e9f61d7ffb065ab33dc94e1473501ba368500829182d9d2
Instruction Fuzzy Hash: 38515D711047059FCB00EF24C88596AB7F4FF84718F14896DF89A972A1DB31EE0ADB52

Function 00CFA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CFA47A
__swprintf.LIBCMT ref: 00CFA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CFA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CFA4FE
_memset.LIBCMT ref: 00CFA51D
_wcsncpy.LIBCMT ref: 00CFA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CFA58E
CloseHandle.KERNEL32(00000000), ref: 00CFA599
RemoveDirectoryW.KERNEL32(?), ref: 00CFA5A2
CloseHandle.KERNEL32(00000000), ref: 00CFA5AC

Strings

:, xrefs: 00CFA4BD
\??\%s, xrefs: 00CFA496
\, xrefs: 00CFA4B2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 893b3973992672f4e0ba3de879a8799c43682ff9f089049ea3b635aff6d7d1f3
Instruction ID: be82d50e28f0a81594f6f5e30dc8afc81196fa0f623150d1ca7b78dc4327e6f5
Opcode Fuzzy Hash: 893b3973992672f4e0ba3de879a8799c43682ff9f089049ea3b635aff6d7d1f3
Instruction Fuzzy Hash: E3318EB5500219ABDB21DFA0DC49FFB77BCEF88701F1041B6FA18D6160EA7097458B26

Function 00D1BCED Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00D19476,?,?), ref: 00D1BD10
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD27
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD32
CloseHandle.KERNEL32(00000000,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD3F
GlobalLock.KERNEL32(00000000), ref: 00D1BD48
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD57
GlobalUnlock.KERNEL32(00000000), ref: 00D1BD60
CloseHandle.KERNEL32(00000000,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD67
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D19476,?,?,00000000,?), ref: 00D1BD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00D22CAC,?), ref: 00D1BD91
GlobalFree.KERNEL32(00000000), ref: 00D1BDA1
GetObjectW.GDI32(00000000,00000018,?), ref: 00D1BDC5
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00D1BDF0
DeleteObject.GDI32(00000000), ref: 00D1BE18
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D1BE2E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 021601033fdd2d06bc77fbaf360d7a2f752fe9e499bd70b7195587460eee95f5
Instruction ID: 2b38a1647e2873c59457a88a3985a2d19badd4779259b1a37f467743a90a045a
Opcode Fuzzy Hash: 021601033fdd2d06bc77fbaf360d7a2f752fe9e499bd70b7195587460eee95f5
Instruction Fuzzy Hash: C2412775640308FFDB119F65EC88EEA7BB8EB89721F148069F906D7260DB309942CB70

Function 00CFDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00CFDC7B
_wcscat.LIBCMT ref: 00CFDC93
_wcscat.LIBCMT ref: 00CFDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CFDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CFDCCE
GetFileAttributesW.KERNEL32(?), ref: 00CFDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CFDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00CFDD12

Strings

*.*, xrefs: 00CFDD51

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 52b4c18a0f97da8b8a3c78b52f682d07ba5e6b554a496aa99cfa8df27bb9be20
Instruction ID: 70ba5286170b27ed572ad0d49c96744e5ff1761313791a2e825b7befeb89cb3c
Opcode Fuzzy Hash: 52b4c18a0f97da8b8a3c78b52f682d07ba5e6b554a496aa99cfa8df27bb9be20
Instruction Fuzzy Hash: 0481A2715043499FCBA4DF64C8459BEB7E9FB88300F15882EF99AC7250EA30DA45DB53

Function 00D1C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D1C4EC
GetFocus.USER32 ref: 00D1C4FC
GetDlgCtrlID.USER32(00000000), ref: 00D1C507
_memset.LIBCMT ref: 00D1C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D1C65D
GetMenuItemCount.USER32(?), ref: 00D1C67D
GetMenuItemID.USER32(?,00000000), ref: 00D1C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D1C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D1C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D1C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00D1C779

Strings

0, xrefs: 00D1C62A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e67754195e5b4453dd2498dd2af8ddab0612257a98d9d18a9a7529bfc942f29c
Instruction ID: 5a32a8c3ecdc0741181e403b2366f8b0a35819433a85db2123960e99b952fdb2
Opcode Fuzzy Hash: e67754195e5b4453dd2498dd2af8ddab0612257a98d9d18a9a7529bfc942f29c
Instruction Fuzzy Hash: AC817D70258301AFDB10DF14E884AABBBE9FB88314F04552DF995D72A1DB70D985CBB2

Function 00CE83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CE8766
Part of subcall function 00CE874A: GetLastError.KERNEL32(?,00CE822A,?,?,?), ref: 00CE8770
Part of subcall function 00CE874A: GetProcessHeap.KERNEL32(00000008,?,?,00CE822A,?,?,?), ref: 00CE877F
Part of subcall function 00CE874A: HeapAlloc.KERNEL32(00000000,?,00CE822A,?,?,?), ref: 00CE8786
Part of subcall function 00CE874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CE879D

Part of subcall function 00CE87E7: GetProcessHeap.KERNEL32(00000008,00CE8240,00000000,00000000,?,00CE8240,?), ref: 00CE87F3
Part of subcall function 00CE87E7: HeapAlloc.KERNEL32(00000000,?,00CE8240,?), ref: 00CE87FA
Part of subcall function 00CE87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00CE8240,?), ref: 00CE880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CE8458
_memset.LIBCMT ref: 00CE846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CE848C
GetLengthSid.ADVAPI32(?), ref: 00CE849D
GetAce.ADVAPI32(?,00000000,?), ref: 00CE84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CE84F6
GetLengthSid.ADVAPI32(?), ref: 00CE8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00CE8522
HeapAlloc.KERNEL32(00000000), ref: 00CE8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CE854A
CopySid.ADVAPI32(00000000), ref: 00CE8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CE8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CE85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CE85BC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d3da393cc30cfb3f18b22085337fce4a4b042ce6719f0cd6308fa9d2a1641419
Instruction ID: 83b19f6eefbe461af8848b8bd760e06a53c5825a8d68470adad80ee45decbebb
Opcode Fuzzy Hash: d3da393cc30cfb3f18b22085337fce4a4b042ce6719f0cd6308fa9d2a1641419
Instruction Fuzzy Hash: 8D611971900249ABDF10DFA5DC45AEEBBB9FF04300F14816AF929E6291DF319A09DF60

Function 00D0762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D076A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00D076AE
CreateCompatibleDC.GDI32(?), ref: 00D076BA
SelectObject.GDI32(00000000,?), ref: 00D076C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00D0771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00D07757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00D0777B
SelectObject.GDI32(00000006,?), ref: 00D07783
DeleteObject.GDI32(?), ref: 00D0778C
DeleteDC.GDI32(00000006), ref: 00D07793
ReleaseDC.USER32(00000000,?), ref: 00D0779E

Strings

(, xrefs: 00D07723

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2fe3674927bc28b4ca4877d43fadfdd81b51eeb0fc92b6594ffcbffb423dcaa0
Instruction ID: 7b4a4d292859b67211ec71a47524a2ba6bb89104610cb536183b597aac60e7ae
Opcode Fuzzy Hash: 2fe3674927bc28b4ca4877d43fadfdd81b51eeb0fc92b6594ffcbffb423dcaa0
Instruction Fuzzy Hash: AD513775904309EFCB15CFA8CC84FAEBBB9EF48350F14842DF94AA7251D631A9418B60

Function 00CFA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00D1FB78), ref: 00CFA0FC

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00CFA11E
__swprintf.LIBCMT ref: 00CFA177
__swprintf.LIBCMT ref: 00CFA190
_wprintf.LIBCMT ref: 00CFA246
_wprintf.LIBCMT ref: 00CFA264

Strings

"%s" (%d) : ==> %s:, xrefs: 00CFA25F
^ ERROR, xrefs: 00CFA1E8
Error: , xrefs: 00CFA20E
Line %d (File "%s"):, xrefs: 00CFA171, 00CFA18A
"%s" (%d) : ==> %s:%s%s, xrefs: 00CFA241

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: ea7973dba34085ae9ae75730ff7a12ee8a9b408e4a237c9cf7c942452aaa7a42
Instruction ID: 2d809d2ebc543096c41b3f49dcee0b264eaeeab383232600c119674cf6cd684d
Opcode Fuzzy Hash: ea7973dba34085ae9ae75730ff7a12ee8a9b408e4a237c9cf7c942452aaa7a42
Instruction Fuzzy Hash: 73516071905209BBCF15EBE0CD4AEEEB778AF04300F504265F519B21A1EB316F59EB61

Function 00C96BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C96C6C,?,00008000), ref: 00CB0BB7

Part of subcall function 00C948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C948A1,?,?,00C937C0,?), ref: 00C948CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C96D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00C96E5A

Part of subcall function 00C959CD: _wcscpy.LIBCMT ref: 00C95A05

Part of subcall function 00CB387D: _iswctype.LIBCMT ref: 00CB3885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00CCE84A
Unterminated string, xrefs: 00CCEC0D
>>>AUTOIT SCRIPT<<<, xrefs: 00CCE8BF
Bad directive syntax error, xrefs: 00CCEBC6
AU3!, xrefs: 00C96CC1
EA06, xrefs: 00CCE87B
Error opening the file, xrefs: 00CCE866, 00CCE8E1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 2f02a553e8ddf982968442db0d745889252224f867f399475e10154608880a0d
Instruction ID: 8f64f91815b5ec235ead2860b5ceeea45b8babc6869fc49f1a2f77ab9a023aea
Opcode Fuzzy Hash: 2f02a553e8ddf982968442db0d745889252224f867f399475e10154608880a0d
Instruction Fuzzy Hash: 9802AA311083419FCB24EF24C895EAFBBE5BF89314F14091DF49A972A1DB30DA49EB52

Function 00C945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C945F9
GetMenuItemCount.USER32(00D56890), ref: 00CCD7CD
GetMenuItemCount.USER32(00D56890), ref: 00CCD87D
GetCursorPos.USER32(?), ref: 00CCD8C1
SetForegroundWindow.USER32(00000000), ref: 00CCD8CA
TrackPopupMenuEx.USER32(00D56890,00000000,?,00000000,00000000,00000000), ref: 00CCD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CCD8E9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a794522b2aad5f225e0b9dfcde2a922eb186b9e8cac03ec4de8f71f17c1e9e83
Instruction ID: 601233d1a4b8678db60440c4dcc3925c54dd94dd385293f701dc17cdbeaf3e97
Opcode Fuzzy Hash: a794522b2aad5f225e0b9dfcde2a922eb186b9e8cac03ec4de8f71f17c1e9e83
Instruction Fuzzy Hash: 7571F370600345BEFB249F15DC89FEABF65FF05364F20422AF529A61E0CBB16950DBA0

Function 00D110A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D10038,?,?), ref: 00D110BC

Strings

HKCC, xrefs: 00D1118A
HKEY_CURRENT_CONFIG, xrefs: 00D11179
HKCR, xrefs: 00D11164
HKU, xrefs: 00D111CE
HKLM, xrefs: 00D1113A
HKEY_CLASSES_ROOT, xrefs: 00D1114F
HKEY_LOCAL_MACHINE, xrefs: 00D11125
HKEY_CURRENT_USER, xrefs: 00D1119B
HKEY_USERS, xrefs: 00D111BD
HKCU, xrefs: 00D111AC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 988a7ab372e5c128d6fadd41577d2f544190568304cf842c1743358c44bfeaea
Instruction ID: de1f6e0a537eeb2f27a6d327c1e1650c181e1590e4552a3884424cc1b0684bde
Opcode Fuzzy Hash: 988a7ab372e5c128d6fadd41577d2f544190568304cf842c1743358c44bfeaea
Instruction Fuzzy Hash: 04417A7415134AABCF10EFA0E891AEB3724BF25310F248455FE915B292DB30E99ADB70

Function 00CEFCB1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CCE6C9,00000010,?,Bad directive syntax error,00D1F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CEFCD2
LoadStringW.USER32(00000000,?,00CCE6C9,00000010), ref: 00CEFCD9

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

_wprintf.LIBCMT ref: 00CEFD0C
__swprintf.LIBCMT ref: 00CEFD2E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CEFD9D

Strings

Error: , xrefs: 00CEFD6B
Line %d (File "%s"):, xrefs: 00CEFD43
., xrefs: 00CEFD83
%s (%d) : ==> %s.: %s %s, xrefs: 00CEFD07
Line %d:, xrefs: 00CEFD28

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: fc39dc7b1f695a597875afc99a2ef3dc9df38ee1bb70e2d9f1919c1d82b368c6
Instruction ID: 2926a2a788c2efb77628310a901e2a93b5656e6e365e71ad8a5782868a682c9d
Opcode Fuzzy Hash: fc39dc7b1f695a597875afc99a2ef3dc9df38ee1bb70e2d9f1919c1d82b368c6
Instruction Fuzzy Hash: 1921803291521AFFCF12EF90CC5AEEE7735BF18300F044469F515620A2EA719A59EB61

Function 00CF5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Part of subcall function 00C97A84: _memmove.LIBCMT ref: 00C97B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CF55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CF55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CF55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CF560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CF561C

Strings

alias PlayMe, xrefs: 00CF55AB
play PlayMe, xrefs: 00CF5617
status PlayMe mode, xrefs: 00CF55CD
close PlayMe, xrefs: 00CF55E3, 00CF5610
open , xrefs: 00CF5581
play PlayMe wait, xrefs: 00CF5606

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5bd32f4ff99e436630e7e44160191f56015242f576019d46c8624db444bbc960
Instruction ID: 595edc4cabf682ffea45c1762c670709fa0c20b16501ef2bdfb640252fb58c98
Opcode Fuzzy Hash: 5bd32f4ff99e436630e7e44160191f56015242f576019d46c8624db444bbc960
Instruction Fuzzy Hash: AF1190216A116D7EDB20BBA5CC4EDFF7A7CEF91F00F400569B611A20D1EE601E09C5B2

Function 00CF48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CF490E
gethostname.WSOCK32(?,00000100), ref: 00CF4928
gethostbyname.WSOCK32(?), ref: 00CF4935
_wcscpy.LIBCMT ref: 00CF495D
_memmove.LIBCMT ref: 00CF4970
inet_ntoa.WSOCK32(?), ref: 00CF497B
_strcat.LIBCMT ref: 00CF4989
_wcscpy.LIBCMT ref: 00CF49A0
WSACleanup.WSOCK32 ref: 00CF49AE
_wcscpy.LIBCMT ref: 00CF49BC

Strings

0.0.0.0, xrefs: 00CF4957

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f076af0c2e5559fadeb7e4def5749dd2a700f9e4c0abf972634bd9ce23190592
Instruction ID: 4d705ccdf2b198749c4b2aeda477b5029469b892bce48b00763437f42b6ade10
Opcode Fuzzy Hash: f076af0c2e5559fadeb7e4def5749dd2a700f9e4c0abf972634bd9ce23190592
Instruction Fuzzy Hash: 3211D871A08119BFCB24EB64AC05EEB77BC9B00710F044175F614D6191EFB09B819662

Function 00CF5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CF521C

Part of subcall function 00CB0719: timeGetTime.WINMM(?,7694B400,00CA0FF9), ref: 00CB071D

Sleep.KERNEL32(0000000A), ref: 00CF5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00CF526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CF528E
SetActiveWindow.USER32 ref: 00CF52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CF52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CF52DA
Sleep.KERNEL32(000000FA), ref: 00CF52E5
IsWindow.USER32 ref: 00CF52F1
EndDialog.USER32(00000000), ref: 00CF5302

Strings

BUTTON, xrefs: 00CF5280

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0880e834f5567744d967cf7e2fed974df9ac75dc693b1f495c0472db9227c796
Instruction ID: c48828c3804e0f5d1e32b03ff96b9ba686476b8da77362ff0cf7933c07a44847
Opcode Fuzzy Hash: 0880e834f5567744d967cf7e2fed974df9ac75dc693b1f495c0472db9227c796
Instruction Fuzzy Hash: 9F21A171204B08BFE7415B24FC88B7A3B69EB5438BF205524FB01D23B1DF619D459A32

Function 00CFD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

CoInitialize.OLE32(00000000), ref: 00CFD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CFD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00CFD8FC
CoCreateInstance.OLE32(00D22D7C,00000000,00000001,00D4A89C,?), ref: 00CFD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CFD9B7
CoTaskMemFree.OLE32(?,?), ref: 00CFDA0F
_memset.LIBCMT ref: 00CFDA4C
SHBrowseForFolderW.SHELL32(?), ref: 00CFDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CFDAAB
CoTaskMemFree.OLE32(00000000), ref: 00CFDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00CFDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00CFDAEB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: b5b560d4a608ed1ceebf3d5aec1730f54ac4aa5baab8dd5de21125dc6392d84b
Instruction ID: bddb42477cf2c007b017daa0270a0ff33e5e8dae49e1562d0615608d252e2feb
Opcode Fuzzy Hash: b5b560d4a608ed1ceebf3d5aec1730f54ac4aa5baab8dd5de21125dc6392d84b
Instruction Fuzzy Hash: C1B10D75A00209AFDB44DFA4C888DAEBBF9FF48314B148469F50AEB251DB30EE45DB51

Function 00CF052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CF05A7
SetKeyboardState.USER32(?), ref: 00CF0612
GetAsyncKeyState.USER32(000000A0), ref: 00CF0632
GetKeyState.USER32(000000A0), ref: 00CF0649
GetAsyncKeyState.USER32(000000A1), ref: 00CF0678
GetKeyState.USER32(000000A1), ref: 00CF0689
GetAsyncKeyState.USER32(00000011), ref: 00CF06B5
GetKeyState.USER32(00000011), ref: 00CF06C3
GetAsyncKeyState.USER32(00000012), ref: 00CF06EC
GetKeyState.USER32(00000012), ref: 00CF06FA
GetAsyncKeyState.USER32(0000005B), ref: 00CF0723
GetKeyState.USER32(0000005B), ref: 00CF0731

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7c64eb3f4cace0fc327a02cc5f977a262ea70f398f190cf45dab2491f0fb6f27
Instruction ID: ab0eb14c1a2dbe49d2ae34a0d0645feacd5d029b1d0a1da42ea1bc9a56d71607
Opcode Fuzzy Hash: 7c64eb3f4cace0fc327a02cc5f977a262ea70f398f190cf45dab2491f0fb6f27
Instruction Fuzzy Hash: F2510C20A0478C29FB74DBA085547FABFB49F01780F18859ADBD2561C3DAA49B4CCB67

Function 00CEC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CEC746
GetWindowRect.USER32(00000000,?), ref: 00CEC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00CEC7B6
GetDlgItem.USER32(?,00000002), ref: 00CEC7C1
GetWindowRect.USER32(00000000,?), ref: 00CEC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00CEC827
GetDlgItem.USER32(?,000003E9), ref: 00CEC835
GetWindowRect.USER32(00000000,?), ref: 00CEC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00CEC889
GetDlgItem.USER32(?,000003EA), ref: 00CEC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CEC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00CEC8C1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1296cc7c66089405dbd25db7296424d80e2a5b4a4432c0ab15680e6bd12fe6ef
Instruction ID: 26b21299347b09bed1bdae8a9d4d28d8d0fb878c7c513d5d577cf4854ddfdfc1
Opcode Fuzzy Hash: 1296cc7c66089405dbd25db7296424d80e2a5b4a4432c0ab15680e6bd12fe6ef
Instruction Fuzzy Hash: 63511D71B00205BFDB18CFA9DD99AAEBBBAEB88311F14812DF515D62D0DB709E41CB50

Function 00C9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C92036,?,00000000,?,?,?,?,00C916CB,00000000,?), ref: 00C91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C920D3
KillTimer.USER32(-00000001,?,?,?,?,00C916CB,00000000,?,?,00C91AE2,?,?), ref: 00C9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00CCBEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C916CB,00000000,?,?,00C91AE2,?,?), ref: 00CCBF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C916CB,00000000,?,?,00C91AE2,?,?), ref: 00CCBF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C916CB,00000000,?,?,00C91AE2,?,?), ref: 00CCBF5A
DeleteObject.GDI32(00000000), ref: 00CCBF6C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 55749d2c204ed0714d8ac7ac0d544a29d5d129d2b32d2d7085449f81dd70a2cf
Instruction ID: 631aaaa2e6605536e766731703a08ae355c0fef0634be07dd475427fc2a56340
Opcode Fuzzy Hash: 55749d2c204ed0714d8ac7ac0d544a29d5d129d2b32d2d7085449f81dd70a2cf
Instruction Fuzzy Hash: C8616634500710EFCB259F95DD49B2ABBB2FB44312F50852DE99287BA0C771AE91DFA0

Function 00C921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00C925DB: GetWindowLongW.USER32(?,000000EB), ref: 00C925EC

GetSysColor.USER32(0000000F), ref: 00C921D3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b7fc6bc12bd18f3e49b713e11f6e4ba1dbc98986e02cecd0aa716264f988ce2e
Instruction ID: 94e46aa1e689aadfee2da5335930f12c96e814b5afbbe68745d15006d4025668
Opcode Fuzzy Hash: b7fc6bc12bd18f3e49b713e11f6e4ba1dbc98986e02cecd0aa716264f988ce2e
Instruction Fuzzy Hash: BB415431104640BADF255F68DC8CBB93B65EB06331F184265FDB5CA2E6CB318D82DB61

Function 00CFAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00D1F910), ref: 00CFAB76
GetDriveTypeW.KERNEL32(00000061,00D4A620,00000061), ref: 00CFAC40
_wcscpy.LIBCMT ref: 00CFAC6A

Strings

network, xrefs: 00CFABD4
unknown, xrefs: 00CFAC01
cdrom, xrefs: 00CFAB92
ramdisk, xrefs: 00CFABEA
removable, xrefs: 00CFABA8
fixed, xrefs: 00CFABBE
all, xrefs: 00CFAB7C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 8301b6a7910ef6cea7db7940d3a7c6a0919ef2d2129c3a76a967ee99cd51df3f
Instruction ID: 02a725ae15e84e6fcdcc5ac02e67f10bbc2ae1b0441003fed6ad865ef7842dd1
Opcode Fuzzy Hash: 8301b6a7910ef6cea7db7940d3a7c6a0919ef2d2129c3a76a967ee99cd51df3f
Instruction Fuzzy Hash: 15519B701583059FCB10EF18C885ABEF7A5EF84300F14882DF69A972A2DB319A49DA53

Function 00C99997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00C999C2
__swprintf.LIBCMT ref: 00C99A0C
__i64tow.LIBCMT ref: 00CCFA0F

Strings

True, xrefs: 00CCF9D0
False, xrefs: 00CCF9D7
0x%p, xrefs: 00CCF9F1
%.15g, xrefs: 00C99A06

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 3721667681efe1d51b71e9bd6f89a0c3219a3f845d80b45a99d7af0be1e23e54
Instruction ID: 21e94caedfb538a4465713dca2f3cb9fb7fc39e6f8913ed7125077186663e35b
Opcode Fuzzy Hash: 3721667681efe1d51b71e9bd6f89a0c3219a3f845d80b45a99d7af0be1e23e54
Instruction Fuzzy Hash: FE410571604205AFDF24EF78DC46F7AB3E9EB04300F24446EE55DD7291EA319A42DB11

Function 00D173C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D173D9
CreateMenu.USER32 ref: 00D173F4
SetMenu.USER32(?,00000000), ref: 00D17403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D17490
IsMenu.USER32(?), ref: 00D174A6
CreatePopupMenu.USER32 ref: 00D174B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D174DD
DrawMenuBar.USER32 ref: 00D174E5

Strings

F, xrefs: 00D174D1
0, xrefs: 00D173CF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: be346c10123eebb1e50e1ddda4a38432dcb4938d008365b0fbc481d60f0e6eb6
Instruction ID: 97a175650b8cd8cd40abf199ad1978886fe43b36609fc97317483a18db718700
Opcode Fuzzy Hash: be346c10123eebb1e50e1ddda4a38432dcb4938d008365b0fbc481d60f0e6eb6
Instruction Fuzzy Hash: 50411875A05305EFDB10DF68E884ADABBB5FF49310F184129FD5597360DB31A950CBA0

Function 00D1772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D177CD
CreateCompatibleDC.GDI32(00000000), ref: 00D177D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D177E7
SelectObject.GDI32(00000000,00000000), ref: 00D177EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D177FA
DeleteDC.GDI32(00000000), ref: 00D17803
GetWindowLongW.USER32(?,000000EC), ref: 00D1780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00D17821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00D1782D

Strings

static, xrefs: 00D17765

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: b6b726bafd2d15fdcd6eee8dbec17dda6f70fcbd15dbebc4acc1c3d3ea1d59c1
Instruction ID: 48749b873ef03593d4539b8f47035e5ace805076af78b95a3b2657ea130cb6b4
Opcode Fuzzy Hash: b6b726bafd2d15fdcd6eee8dbec17dda6f70fcbd15dbebc4acc1c3d3ea1d59c1
Instruction Fuzzy Hash: 03316C32105215BBDF129FA4EC09FDA3B69EF09361F154225FA15E62A0CB31D852DBB4

Function 00CB7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB707B

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

__gmtime64_s.LIBCMT ref: 00CB7114
__gmtime64_s.LIBCMT ref: 00CB714A
__gmtime64_s.LIBCMT ref: 00CB7167
__allrem.LIBCMT ref: 00CB71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB71D9
__allrem.LIBCMT ref: 00CB71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB720E
__allrem.LIBCMT ref: 00CB7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CB7243
__invoke_watson.LIBCMT ref: 00CB72B4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: e5678f1b15ed261f34a8184646f04f8e77152e3da84393edc33b1619ef46021f
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: DE71C671A04717ABD714AE79DC41BDAB3B8AF94320F14832AFD24E7281E770DA409791

Function 00CF2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF2A31
GetMenuItemInfoW.USER32(00D56890,000000FF,00000000,00000030), ref: 00CF2A92
SetMenuItemInfoW.USER32(00D56890,00000004,00000000,00000030), ref: 00CF2AC8
Sleep.KERNEL32(000001F4), ref: 00CF2ADA
GetMenuItemCount.USER32(?), ref: 00CF2B1E
GetMenuItemID.USER32(?,00000000), ref: 00CF2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00CF2B64
GetMenuItemID.USER32(?,?), ref: 00CF2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CF2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CF2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CF2C24

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b509a2df5d539de6ea8f8944f8816325fc7c18b4161c89a77048410eccfa0130
Instruction ID: 4c4becf0bb153c7684446693ff989370575795fcdf80dcb0d22dee77ffb74dd9
Opcode Fuzzy Hash: b509a2df5d539de6ea8f8944f8816325fc7c18b4161c89a77048410eccfa0130
Instruction Fuzzy Hash: 616190B090034DAFEB61CF64D888EFE7BB9EB01304F144559EA52D7251DB31AE46DB22

Function 00D17192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D17214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D17217
GetWindowLongW.USER32(?,000000F0), ref: 00D1723B
_memset.LIBCMT ref: 00D1724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D1725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D172D6

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3e3ee01dd9e8d06960ccb59c537cc3a32526cfe9720a77de1731bb67bc572220
Instruction ID: b50a35b59e78bb4d88bc90e3e8e3dc5de8c15310b74d6976b18b6407acbc89d6
Opcode Fuzzy Hash: 3e3ee01dd9e8d06960ccb59c537cc3a32526cfe9720a77de1731bb67bc572220
Instruction Fuzzy Hash: DB614975A04208BFDB10DFA4DC81EEE77B8EB09710F144159FA15E73A1DB70A985DB60

Function 00CE710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CE7135
SafeArrayAllocData.OLEAUT32(?), ref: 00CE718E
VariantInit.OLEAUT32(?), ref: 00CE71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CE71C0
VariantCopy.OLEAUT32(?,?), ref: 00CE7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CE7227
VariantClear.OLEAUT32(?), ref: 00CE723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00CE7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CE7252
VariantClear.OLEAUT32(?), ref: 00CE7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CE726F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6c72e94c5eaccf1b05d1090134f934c60da7d4787d568d36e86557a4c9022d48
Instruction ID: a4b553c9bc307d2cbbcbf0da7763b382d61561d5b171571c8257a9c6a002fdc4
Opcode Fuzzy Hash: 6c72e94c5eaccf1b05d1090134f934c60da7d4787d568d36e86557a4c9022d48
Instruction Fuzzy Hash: CF415E35904219EFCF00DFA9D8489EEBBB8EF08354F008169F915E7361CB30A946DBA0

Function 00D05A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00D05AA6
inet_addr.WSOCK32(?,?,?), ref: 00D05AEB
gethostbyname.WSOCK32(?), ref: 00D05AF7
IcmpCreateFile.IPHLPAPI ref: 00D05B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00D05B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00D05B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00D05C00
WSACleanup.WSOCK32 ref: 00D05C06

Strings

Ping, xrefs: 00D05B29

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f3ffcf66b47599d1130ebc41845beb74d53570d2f5fa41cad7c1698a9d0d02bb
Instruction ID: bf0342051a6af244096555fbc0b57787d7758d14c65ff464f4be4df28fc3358b
Opcode Fuzzy Hash: f3ffcf66b47599d1130ebc41845beb74d53570d2f5fa41cad7c1698a9d0d02bb
Instruction Fuzzy Hash: F7517D31604700AFDB119F24DC49B6ABBE4EF44710F188929F99ADB2E1DB70E840DF66

Function 00CFB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CFB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CFB7B1
GetLastError.KERNEL32 ref: 00CFB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00CFB828

Strings

INVALID, xrefs: 00CFB7FA
READONLY, xrefs: 00CFB7F3
READY, xrefs: 00CFB801
NOTREADY, xrefs: 00CFB7E7
UNKNOWN, xrefs: 00CFB7E0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: dd717bdf69d22d2d8f9e12fe3fa3de4ab840755cfd94a28732e564eda001d0bf
Instruction ID: 6148c965a8e8a2ab53a31fddc815bcd77a3ec22836c04276d518c4e64e979044
Opcode Fuzzy Hash: dd717bdf69d22d2d8f9e12fe3fa3de4ab840755cfd94a28732e564eda001d0bf
Instruction Fuzzy Hash: 61319435A40209AFDB50FF68C885AFEB7B4EF84740F10802AF616D7291DB719E46D762

Function 00CE9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00CE94F6
GetDlgCtrlID.USER32 ref: 00CE9501
GetParent.USER32 ref: 00CE951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CE9520
GetDlgCtrlID.USER32(?), ref: 00CE9529
GetParent.USER32(?), ref: 00CE9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00CE9548

Strings

ListBox, xrefs: 00CE94B3
ComboBox, xrefs: 00CE947E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8dc63f6e984dce2a7511df31e56b0859ee3f212a8678ecd2ecad390218652fc1
Instruction ID: 806b596cc1f24fa4cf377d038b0b5e7bdf46e1142830d5637a7efb9d9748c72b
Opcode Fuzzy Hash: 8dc63f6e984dce2a7511df31e56b0859ee3f212a8678ecd2ecad390218652fc1
Instruction Fuzzy Hash: E121C170A01204BBCF05ABA6CC89DFEBB74EF49310F104269F961972E2DF755919EB20

Function 00CE955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00CE95DF
GetDlgCtrlID.USER32 ref: 00CE95EA
GetParent.USER32 ref: 00CE9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CE9609
GetDlgCtrlID.USER32(?), ref: 00CE9612
GetParent.USER32(?), ref: 00CE962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00CE9631

Strings

ListBox, xrefs: 00CE959E
ComboBox, xrefs: 00CE9569

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 36a0ca7d830974e7a95b30d55f409e0c9f4312b1def45c98dec8424f14c1ee55
Instruction ID: 8e6773ddb2a2b50a4f6aceab30514912ffd5e0ca4531f46ff7b01969eeaf02df
Opcode Fuzzy Hash: 36a0ca7d830974e7a95b30d55f409e0c9f4312b1def45c98dec8424f14c1ee55
Instruction Fuzzy Hash: 6821B074A01244BBDF01EBA1CC89EFEBB78EF48300F104156F921972A1DB759919AB20

Function 00CE9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CE9651
GetClassNameW.USER32(00000000,?,00000100), ref: 00CE9666
_wcscmp.LIBCMT ref: 00CE9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CE96F3

Strings

details, xrefs: 00CE96A1
largeicons, xrefs: 00CE9687
list, xrefs: 00CE96D5
SHELLDLL_DefView, xrefs: 00CE9672
smallicons, xrefs: 00CE96BB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 422e1dfcdd44dc309074cb5ff818958e1a276a179c699d9702e54a1a69795116
Instruction ID: 067d56e8bb1e677aad2f5f064bd3607e2f38c38a374c719ee1074343f2d1b1b3
Opcode Fuzzy Hash: 422e1dfcdd44dc309074cb5ff818958e1a276a179c699d9702e54a1a69795116
Instruction Fuzzy Hash: B111C676248387BBFB012627DC1BDEBB79CDB05760F200127F910E50E1FEB16A559968

Function 00D08BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D08BEC
CoInitialize.OLE32(00000000), ref: 00D08C19
CoUninitialize.OLE32 ref: 00D08C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00D08D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00D08E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00D22C0C), ref: 00D08E84
CoGetObject.OLE32(?,00000000,00D22C0C,?), ref: 00D08EA7
SetErrorMode.KERNEL32(00000000), ref: 00D08EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00D08F3A
VariantClear.OLEAUT32(?), ref: 00D08F4A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: d2f892cc138c6dd7b53628d3b86ca23d5ac9ea6d9a52bb8067253fee4be62e01
Instruction ID: bc2b374211b661174ab6d4002c4523c3974b578f2c7117ed2f674b7b4e28374b
Opcode Fuzzy Hash: d2f892cc138c6dd7b53628d3b86ca23d5ac9ea6d9a52bb8067253fee4be62e01
Instruction Fuzzy Hash: 59C136B1608305AFD700DF64C884A6AB7E9FF88348F04495DF5899B291DB71ED05DB62

Function 00CF4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00CF419D
__swprintf.LIBCMT ref: 00CF41AA

Part of subcall function 00CB38D8: __woutput_l.LIBCMT ref: 00CB3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00CF41D4
LoadResource.KERNEL32(?,00000000), ref: 00CF41E0
LockResource.KERNEL32(00000000), ref: 00CF41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00CF420D
LoadResource.KERNEL32(?,00000000), ref: 00CF421F
SizeofResource.KERNEL32(?,00000000), ref: 00CF422E
LockResource.KERNEL32(?), ref: 00CF423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00CF429B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: cb45aeff4280480ef5f1c29dee82e92db478293c5a89b1d486bfc0a1151a4fa6
Instruction ID: 9cadd670a1783de8f7e9dc206d280ce7fe8bee7d9a0e605fce69f715c168af2e
Opcode Fuzzy Hash: cb45aeff4280480ef5f1c29dee82e92db478293c5a89b1d486bfc0a1151a4fa6
Instruction Fuzzy Hash: 52318D7160521ABBDB159F61EC48EFF7BACEF08302F008525FA15D6250EB70DA528BB5

Function 00C9FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C9FC06
OleUninitialize.OLE32(?,00000000), ref: 00C9FCA5
UnregisterHotKey.USER32(?), ref: 00C9FDFC
DestroyWindow.USER32(?), ref: 00CD4A00
FreeLibrary.KERNEL32(?), ref: 00CD4A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CD4A92

Strings

close all, xrefs: 00C9FC01

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 552714e360a3043c9baab4418f3beec4bb61d3c78bab624dabfda3a72e208dc2
Instruction ID: b33fa7757531dc8f4087544fcd1a9245f3bef7535cf1d2f3a5755fa344235f4b
Opcode Fuzzy Hash: 552714e360a3043c9baab4418f3beec4bb61d3c78bab624dabfda3a72e208dc2
Instruction Fuzzy Hash: 5DA15F31701212DFCB29EF15C499A69F764AF14700F1442AEEA1AAB361CB30EE17EF54

Function 00CEA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00CEAA64), ref: 00CEA9A2

Strings

TEXT, xrefs: 00CEA8D9
INSTANCE, xrefs: 00CEA8B0
REGEXPCLASS, xrefs: 00CEA767
CLASS, xrefs: 00CEA721
NAME, xrefs: 00CEA7D4
CLASSNN, xrefs: 00CEA744

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 347a3ebcd28e9c6e4aca07f12a80975616c6e113e58cef1d303138c497ecb295
Instruction ID: 8c088623017b5a527df95ef87a12540844d5c7988f8668b664f0430deadfbbd6
Opcode Fuzzy Hash: 347a3ebcd28e9c6e4aca07f12a80975616c6e113e58cef1d303138c497ecb295
Instruction Fuzzy Hash: 87919531600686AFDB18DF72C481BEEFB74BF04314F518119D89AA7292DF307A59DBA1

Function 00C92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C92EAE

Part of subcall function 00C91DB3: GetClientRect.USER32(?,?), ref: 00C91DDC
Part of subcall function 00C91DB3: GetWindowRect.USER32(?,?), ref: 00C91E1D
Part of subcall function 00C91DB3: ScreenToClient.USER32(?,?), ref: 00C91E45

GetDC.USER32 ref: 00CCCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CCCF95
SelectObject.GDI32(00000000,00000000), ref: 00CCCFA3
SelectObject.GDI32(00000000,00000000), ref: 00CCCFB8
ReleaseDC.USER32(?,00000000), ref: 00CCCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CCD04B

Strings

U, xrefs: 00CCCF20

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b0aea97af0fc00e884e7f7ce8d76d3f217a5e1b309142ceb6d98a7a12b50d822
Instruction ID: 3807039bbf15ba6d3fd0a02d8e6c92ab27d1842bfd9c82cbae985c54cd7b5f98
Opcode Fuzzy Hash: b0aea97af0fc00e884e7f7ce8d76d3f217a5e1b309142ceb6d98a7a12b50d822
Instruction Fuzzy Hash: D271A530500205EFCF21CF68C8C5EAA7BB5FF49351F14426DEDA6962A6D7318D42DB60

Function 00D1C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

Part of subcall function 00C92344: GetCursorPos.USER32(?), ref: 00C92357
Part of subcall function 00C92344: ScreenToClient.USER32(00D567B0,?), ref: 00C92374
Part of subcall function 00C92344: GetAsyncKeyState.USER32(00000001), ref: 00C92399
Part of subcall function 00C92344: GetAsyncKeyState.USER32(00000002), ref: 00C923A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00D1C2E4
ImageList_EndDrag.COMCTL32 ref: 00D1C2EA
ReleaseCapture.USER32 ref: 00D1C2F0
SetWindowTextW.USER32(?,00000000), ref: 00D1C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D1C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00D1C48F

Strings

@GUI_DROPID, xrefs: 00D1C3E1
@GUI_DRAGFILE, xrefs: 00D1C424

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 23729037b3129039b160c0a0b4a33c553a016f2c62d5bbdcc2850d597c773a65
Instruction ID: 2e7839d17e9c890a13526a8b17596ef38b7bf8f1ab857bdb1f4cbd1a88e9d4cf
Opcode Fuzzy Hash: 23729037b3129039b160c0a0b4a33c553a016f2c62d5bbdcc2850d597c773a65
Instruction Fuzzy Hash: E3519E70208304AFDB00EF14D859FAA7BE5EB88310F44851DF995872E1DF30E949DB62

Function 00D08F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00D1F910), ref: 00D0903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00D1F910), ref: 00D09071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00D091EB
SysFreeString.OLEAUT32(?), ref: 00D09215

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: efa68b2d7c003ebc2565c377ac3a579b9d359be7a0ccdded60fce7e737f9b0e3
Instruction ID: ece4d61a7575f66b01a27d53732cc262442b168e5cdc5c27c29243ffbcde6f87
Opcode Fuzzy Hash: efa68b2d7c003ebc2565c377ac3a579b9d359be7a0ccdded60fce7e737f9b0e3
Instruction Fuzzy Hash: 30F10A71A00209EFDF14DF94C898EAEB7B9FF49314F148059F519AB291DB31AD46CB60

Function 00D0F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D0F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D0FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00D0FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D0FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00D0FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D0FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00D0FD90
CloseHandle.KERNEL32(?), ref: 00D0FDBF
CloseHandle.KERNEL32(?), ref: 00D0FE36

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 08b9610959022b20819fa9cd3b93b7697e62609f5fc1a1f36a3bd9eb0d154565
Instruction ID: ed353a951d932ad5d7541cb4708335b6d877be6cd4e80006284825c827ddb16e
Opcode Fuzzy Hash: 08b9610959022b20819fa9cd3b93b7697e62609f5fc1a1f36a3bd9eb0d154565
Instruction Fuzzy Hash: DDE193312043419FCB24EF24C495B6ABBE1EF85314F28856DF8999B2E2DB31DC45DB62

Function 00CF4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CF38D3,?), ref: 00CF48C7

Part of subcall function 00CF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CF38D3,?), ref: 00CF48E0

Part of subcall function 00CF4CD3: GetFileAttributesW.KERNEL32(?,00CF3947), ref: 00CF4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00CF4FE2
_wcscmp.LIBCMT ref: 00CF4FFC
MoveFileW.KERNEL32(?,?), ref: 00CF5017

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: c2e2b39a23eddb3652668406008ee1465c8693132a0a84362a1657358f9d4252
Instruction ID: 65d6e9499ca72939d3b2360f2e4f55312a7d2310c15014e3bd8d303eb28ca7c7
Opcode Fuzzy Hash: c2e2b39a23eddb3652668406008ee1465c8693132a0a84362a1657358f9d4252
Instruction Fuzzy Hash: DD5164B20087859BC764DB90D8859EFB3ECAF85341F00492EF399D3191EF74A6889767

Function 00D188B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D1896E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 8e28d33c912efc9e5ad426575454fd49f3f0d55c46ed0bc16d7b64162230dd5b
Instruction ID: c85fc0e29099c14a0ae1ff82aa92b379773a6a644551d6e42501e2d6fb090b83
Opcode Fuzzy Hash: 8e28d33c912efc9e5ad426575454fd49f3f0d55c46ed0bc16d7b64162230dd5b
Instruction Fuzzy Hash: 6A516030604208BBEF20DF24AC89BE97B65EF05364F644216F555E62A1DF71E9C0EB71

Function 00C92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00CCC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CCC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CCC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00CCC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CCC5C0
DestroyIcon.USER32(00000000), ref: 00CCC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CCC5EC
DestroyIcon.USER32(?), ref: 00CCC5FB

Part of subcall function 00D1A71E: DeleteObject.GDI32(00000000), ref: 00D1A757

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 8f3cf970531ba3e7e5986b6bfce82ec59dc969a512bd314778e236fd2c9d5691
Instruction ID: 9965184bcc09b2ae596f9215b84625a889672e28191bd23e425daca4043a739e
Opcode Fuzzy Hash: 8f3cf970531ba3e7e5986b6bfce82ec59dc969a512bd314778e236fd2c9d5691
Instruction Fuzzy Hash: 4F513470600309BFDF24DF25DC89FAA7BA5EB58311F104528F956D72A0DB70EA91EB60

Function 00CE9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CEAE77
Part of subcall function 00CEAE57: GetCurrentThreadId.KERNEL32 ref: 00CEAE7E
Part of subcall function 00CEAE57: AttachThreadInput.USER32(00000000,?,00CE9B65,?,00000001), ref: 00CEAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CE9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CE9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00CE9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CE9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CE9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CE9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CE9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CE9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00CE9BDD

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 860ff00012958ee07d2863b8b41a24e0de30d58ecaec5e5876113eefc8223ef0
Instruction ID: 036acd4b60fb05aa6d66eda1d22a7607f7e55e2ab5868f67a4cb99c032932146
Opcode Fuzzy Hash: 860ff00012958ee07d2863b8b41a24e0de30d58ecaec5e5876113eefc8223ef0
Instruction Fuzzy Hash: D2112171900708BFF6102B21DC89FAA3B2CEB0C751F104825F248AB1A0CDF26C51DAB0

Function 00CE8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E0C
HeapAlloc.KERNEL32(00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CE8A84,00000B00,?,?), ref: 00CE8E28
GetCurrentProcess.KERNEL32(?,00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E30
DuplicateHandle.KERNEL32(00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00CE8A84,00000B00,?,?), ref: 00CE8E43
GetCurrentProcess.KERNEL32(00CE8A84,00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E4B
DuplicateHandle.KERNEL32(00000000,?,00CE8A84,00000B00,?,?), ref: 00CE8E4E
CreateThread.KERNEL32(00000000,00000000,00CE8E74,00000000,00000000,00000000), ref: 00CE8E68

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ae8d23df8aaa2bc56f73af91f25096ed7dd5660e18b508ce7045950bbddba2a6
Instruction ID: efd884eba1fb729ab80ebf3526184de06831d835f9e0974292a2420d0ec6ebc6
Opcode Fuzzy Hash: ae8d23df8aaa2bc56f73af91f25096ed7dd5660e18b508ce7045950bbddba2a6
Instruction Fuzzy Hash: 2101BFB5240344FFE710AB65DC4DF973B6CEB89711F008521FA05DB291CA759841CB30

Function 00D09428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D0947C
VariantInit.OLEAUT32(?), ref: 00D0954D
VariantInit.OLEAUT32(?), ref: 00D0964E
VariantClear.OLEAUT32(?), ref: 00D09658
VariantClear.OLEAUT32(?), ref: 00D096B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00D094DD, 00D0960B, 00D096C3
Incorrect Object type in FOR..IN loop, xrefs: 00D09631

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: bd7b5f24bb70de3f158d63666da1444a6b9828d85b356f5da347e077a4eaf870
Instruction ID: 23748695599319b3e5850ecbb83c3b8eb06addfa77b1b1984889e7e7e4495b1b
Opcode Fuzzy Hash: bd7b5f24bb70de3f158d63666da1444a6b9828d85b356f5da347e077a4eaf870
Instruction Fuzzy Hash: 2891AC71A00219ABDF24DFA5CC58FAEBBB8EF45310F148159F519AB282D7709905CFB0

Function 00D09A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00CE7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?,?,00CE799D), ref: 00CE766F
Part of subcall function 00CE7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?), ref: 00CE768A
Part of subcall function 00CE7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?), ref: 00CE7698
Part of subcall function 00CE7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?), ref: 00CE76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00D09B1B
_memset.LIBCMT ref: 00D09B28
_memset.LIBCMT ref: 00D09C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00D09C97
CoTaskMemFree.OLE32(?), ref: 00D09CA2

Strings

NULL Pointer assignment, xrefs: 00D09CF0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 99b31a0d525d04ac998bd8e9fe3acfecfd6ff403165ce2dfd21a431353f1143a
Instruction ID: 67e312dadec93933fb24678de35c79b3cb1915f77198c2006f8f900bfef34a14
Opcode Fuzzy Hash: 99b31a0d525d04ac998bd8e9fe3acfecfd6ff403165ce2dfd21a431353f1143a
Instruction Fuzzy Hash: E2914871D00229EBDF10DFA5DC94ADEBBB8EF08310F20415AF519A7291DB319A44DFA0

Function 00D16FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D17093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00D170A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D170C1
_wcscat.LIBCMT ref: 00D1711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00D17133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D17161

Strings

SysListView32, xrefs: 00D17065

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 046a4b4faae5277cbf678d0663c343ff442d0a46b691b68c88a143c1c89db16e
Instruction ID: 0be6c3a3ddb734de7eeac0b8fe65b53ea0ebfcc792ff133db588c30542298d6c
Opcode Fuzzy Hash: 046a4b4faae5277cbf678d0663c343ff442d0a46b691b68c88a143c1c89db16e
Instruction Fuzzy Hash: 43418171A04308BFDB219F64DC85BEA77B8EF08350F14452AF984E72A2DA719DC58B70

Function 00D0EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00CF3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00CF3EB6
Part of subcall function 00CF3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00CF3EC4
Part of subcall function 00CF3E91: CloseHandle.KERNEL32(00000000), ref: 00CF3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D0ECB8
GetLastError.KERNEL32 ref: 00D0ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00D0ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00D0ED77
GetLastError.KERNEL32(00000000), ref: 00D0ED82
CloseHandle.KERNEL32(00000000), ref: 00D0EDB7

Strings

SeDebugPrivilege, xrefs: 00D0ECD6

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 81ae32d3785047ee73a45cf468f243c39d0a2f275d08f62c87b0298a839c42a3
Instruction ID: 052ea6dc97d681591b0371a8f8832c6b71d1a4e2ebf9ea9f40d9df2992fc0163
Opcode Fuzzy Hash: 81ae32d3785047ee73a45cf468f243c39d0a2f275d08f62c87b0298a839c42a3
Instruction Fuzzy Hash: 1141CC71200201AFDB10EF24CC95FAEB7A1EF50714F08841DF94A9B3D2DB75A805EBA6

Function 00CF3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CF32C5

Strings

blank, xrefs: 00CF3247
stop, xrefs: 00CF3296
warning, xrefs: 00CF32AE
info, xrefs: 00CF3266
question, xrefs: 00CF327E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 97f7a51d2fe676235281df08a5c8875d866d5509914273ca7d45cebc10dd8f06
Instruction ID: e96aa1525b17227ac8aa900b2fc52ef9addbfe76be250b58e353c1de30404a19
Opcode Fuzzy Hash: 97f7a51d2fe676235281df08a5c8875d866d5509914273ca7d45cebc10dd8f06
Instruction Fuzzy Hash: DC11E7312483CABFA7015B59DC82DFFB39CEF19374F20002AF610AA2C3E6A55B4455B6

Function 00CF4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CF454E
LoadStringW.USER32(00000000), ref: 00CF4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CF456B
LoadStringW.USER32(00000000), ref: 00CF4572
_wprintf.LIBCMT ref: 00CF4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CF45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CF4593

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: c1426129e2c146bc1af0f5a552a3a9e791596e72677d0862ea320d417d9192df
Instruction ID: 92f379443d0b1570354365aff7603acf6ca58db71669f136b29126885cf3b530
Opcode Fuzzy Hash: c1426129e2c146bc1af0f5a552a3a9e791596e72677d0862ea320d417d9192df
Instruction Fuzzy Hash: 570162F2904308BFE750E7A0DD89EFB776CD708301F4045A5BB49D2151EA749E858B71

Function 00D1D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

GetSystemMetrics.USER32(0000000F), ref: 00D1D78A
GetSystemMetrics.USER32(0000000F), ref: 00D1D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00D1D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D1DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D1DA24
ShowWindow.USER32(00000003,00000000), ref: 00D1DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00D1DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00D1DA8B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e357c12397f425a3985f2e46d8975883fe47a46850882381ed5de50867e6cbae
Instruction ID: 34738fe597751c74e2e100e511f48044263695e7e1db743c3b90e659a6de2bdb
Opcode Fuzzy Hash: e357c12397f425a3985f2e46d8975883fe47a46850882381ed5de50867e6cbae
Instruction Fuzzy Hash: D3B16971600225EBDF18CF69D9857ED7BB2FF48711F088169EC489B295DB34A990CBA0

Function 00C92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CCC417,00000004,00000000,00000000,00000000), ref: 00C92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00CCC417,00000004,00000000,00000000,00000000,000000FF), ref: 00C92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00CCC417,00000004,00000000,00000000,00000000), ref: 00CCC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00CCC417,00000004,00000000,00000000,00000000), ref: 00CCC4D6

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 862a143e384009d55a92c6de0fbf6f417bd15a1ed2b2e87742d5fdd33214f8ad
Instruction ID: c528ab488d163b131ff6a0025b2affdaea10f1f742d18129c0dd9c5295fe327d
Opcode Fuzzy Hash: 862a143e384009d55a92c6de0fbf6f417bd15a1ed2b2e87742d5fdd33214f8ad
Instruction Fuzzy Hash: D241DA32608780BACF39CB29DCDCB7A7B92AB55310F54C41DE0EB86661CE759946E720

Function 00CF7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CF737F

Part of subcall function 00CB0FF6: std::exception::exception.LIBCMT ref: 00CB102C
Part of subcall function 00CB0FF6: __CxxThrowException@8.LIBCMT ref: 00CB1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00CF73B6
EnterCriticalSection.KERNEL32(?), ref: 00CF73D2
_memmove.LIBCMT ref: 00CF7420
_memmove.LIBCMT ref: 00CF743D
LeaveCriticalSection.KERNEL32(?), ref: 00CF744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00CF7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CF7480

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5d394752808bd792be844d3222b30567b8a2f3b5bbb26463eb115b2fd2ca99a0
Instruction ID: 18c51c9472acb487c32b43ed22a622bd680418080d47339285fa406e522c8677
Opcode Fuzzy Hash: 5d394752808bd792be844d3222b30567b8a2f3b5bbb26463eb115b2fd2ca99a0
Instruction Fuzzy Hash: 32318D31A04205EBCF10EFA4DC85AABBBB8EF45310F1481A5FD04EB246DB309A55DBA5

Function 00D16442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00D1645A
GetDC.USER32(00000000), ref: 00D16462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D1646D
ReleaseDC.USER32(00000000,00000000), ref: 00D16479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D164B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D164C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D19299,?,?,000000FF,00000000,?,000000FF,?), ref: 00D16500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D16520

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e5e8efdc17269149dc0dc72eac7cf11b04ff912755097fde8fdd64533161c69e
Instruction ID: 522890c7dff8bff41843ea8b11bbb5f8e4ec78e651165fd3577c6f539f614d4a
Opcode Fuzzy Hash: e5e8efdc17269149dc0dc72eac7cf11b04ff912755097fde8fdd64533161c69e
Instruction Fuzzy Hash: D9314F72201214BFEB118F50DC4AFEA3FAAEF09765F044065FE08DA295DA759C42CB74

Function 00CEC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00CEC087
_memcmp.LIBCMT ref: 00CEC0A9
_memcmp.LIBCMT ref: 00CEC0C1
_memcmp.LIBCMT ref: 00CEC0D4
_memcmp.LIBCMT ref: 00CEC0EE
_memcmp.LIBCMT ref: 00CEC101
_memcmp.LIBCMT ref: 00CEC119
_memcmp.LIBCMT ref: 00CEC134

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4b5bcd6363d877a6ccc6ee752b5854765c475417a6c759dce4280c77ef31e70b
Instruction ID: 6d7048fe3d3d93c8085eb384f8caca9d0dfb64bb48b15ceefa6b817f55c5716d
Opcode Fuzzy Hash: 4b5bcd6363d877a6ccc6ee752b5854765c475417a6c759dce4280c77ef31e70b
Instruction Fuzzy Hash: 5121A171600255BFD614A5239DD2FFF239CEF603A8F484020FD1596282E751DF26A2F5

Function 00CFED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

Part of subcall function 00CAFEC6: _wcscpy.LIBCMT ref: 00CAFEE9

_wcstok.LIBCMT ref: 00CFEEFF
_wcscpy.LIBCMT ref: 00CFEF8E
_memset.LIBCMT ref: 00CFEFC1

Strings

X, xrefs: 00CFEFFE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: b47981585fdd28a667a669d2ee4cf7ab15ebe9c7c05ab9f25a2d13c481462a60
Instruction ID: 4e01797860ac8af2d8e52820c7db72b3415b5695aa2151302aa1c9419fb19d25
Opcode Fuzzy Hash: b47981585fdd28a667a669d2ee4cf7ab15ebe9c7c05ab9f25a2d13c481462a60
Instruction Fuzzy Hash: 56C16E715083449FCB64EF24C885AAEB7E4FF84310F04496DF99A972A2DB30ED45DB92

Function 00D06E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00D06F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00D06F35
WSAGetLastError.WSOCK32(00000000), ref: 00D06F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00D06FFE
inet_ntoa.WSOCK32(?), ref: 00D06FBB

Part of subcall function 00CEAE14: _strlen.LIBCMT ref: 00CEAE1E
Part of subcall function 00CEAE14: _memmove.LIBCMT ref: 00CEAE40

_strlen.LIBCMT ref: 00D07058
_memmove.LIBCMT ref: 00D070C1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0ccf6c90d05e50835f067029768d109c033a54e5712660caae5b5e8ed2ec94fb
Instruction ID: 9db16d57252e1f780a53b32776c83e931766a43b65c6798b548e57e5e395afd4
Opcode Fuzzy Hash: 0ccf6c90d05e50835f067029768d109c033a54e5712660caae5b5e8ed2ec94fb
Instruction Fuzzy Hash: 3E81C071508300ABDB10EB24CC86F6BB3E9EF84714F148A1CF5599B2E2DA71ED05D7A2

Function 00C91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747e603a30f2307aff635eada5ac81a327b08b5fd8e27bf44272d072a992abfd
Instruction ID: 5f7659e4c2a733ad1757300cdeb321fe0b00db2ac9cbab8ed93149061f549136
Opcode Fuzzy Hash: 747e603a30f2307aff635eada5ac81a327b08b5fd8e27bf44272d072a992abfd
Instruction Fuzzy Hash: D7714C3090050AFFCF149F99CC4AEBEBBB9FF89310F148159F925AA251C734AA51CB60

Function 00D1B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01665280), ref: 00D1B6A5
IsWindowEnabled.USER32(01665280), ref: 00D1B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00D1B795
SendMessageW.USER32(01665280,000000B0,?,?), ref: 00D1B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00D1B809
GetWindowLongW.USER32(01665280,000000EC), ref: 00D1B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D1B843

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 195bae3e3e5fc30db110a786f5b89df57cf0e7c7967d8cccf4c87b360581f0bc
Instruction ID: 40ad35b381c212591bf100b2742e4f04b0bb220c1335e4c1f4f142fa877206d5
Opcode Fuzzy Hash: 195bae3e3e5fc30db110a786f5b89df57cf0e7c7967d8cccf4c87b360581f0bc
Instruction Fuzzy Hash: EC717C34600304BFDB209F64E8D5FEA7BB9EB59320F18445AE9559B3A1CB31AD81CB70

Function 00D0F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D0F75C
_memset.LIBCMT ref: 00D0F825
ShellExecuteExW.SHELL32(?), ref: 00D0F86A

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

Part of subcall function 00CAFEC6: _wcscpy.LIBCMT ref: 00CAFEE9

GetProcessId.KERNEL32(00000000), ref: 00D0F8E1
CloseHandle.KERNEL32(00000000), ref: 00D0F910

Strings

@, xrefs: 00D0F839

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 01233a4e8aa457488e8bbb93564802c4214c060d2daddf77ef49199fa864014a
Instruction ID: 156c062b70cf83f12eff336064cc0b34b8dff1da5797fa5fb19938d4544dc305
Opcode Fuzzy Hash: 01233a4e8aa457488e8bbb93564802c4214c060d2daddf77ef49199fa864014a
Instruction Fuzzy Hash: FB619F75A006199FCF14EF58C484AAEBBF5FF48310F14846DE84AAB791CB30AD41DBA0

Function 00CF145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CF149C
GetKeyboardState.USER32(?), ref: 00CF14B1
SetKeyboardState.USER32(?), ref: 00CF1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CF1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CF155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CF15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CF15C8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d4b84d6c7a1a26c93d638be58bfcc2e0d01cf5e87abb8993a96b50d3b055f34c
Instruction ID: 29f5cb3956115275ebb4876a82fca661aadcf1ee9814d74454d047b74ea06a4a
Opcode Fuzzy Hash: d4b84d6c7a1a26c93d638be58bfcc2e0d01cf5e87abb8993a96b50d3b055f34c
Instruction Fuzzy Hash: D85104A06047D9BEFB764734CC05BBA7EE96B46304F0C8489EAE5868C2C294DE84D752

Function 00CF1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CF12B5
GetKeyboardState.USER32(?), ref: 00CF12CA
SetKeyboardState.USER32(?), ref: 00CF132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CF1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CF1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CF13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CF13D9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 14a31a5d8dde364baf059da36be690102f8becbb1aed7899abc94c6cbdd8c698
Instruction ID: 27e05ee025b3f13f4c4968a03f8b11818183a527f95d53d33178ffe6281332f8
Opcode Fuzzy Hash: 14a31a5d8dde364baf059da36be690102f8becbb1aed7899abc94c6cbdd8c698
Instruction Fuzzy Hash: C9512A605047DDBDFB3687258C01B7A7FA95F06300F0C8489EAE846CD2D395DE88E752

Function 00CF589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CF58AC
_wcsncpy.LIBCMT ref: 00CF58E1
_wcsncpy.LIBCMT ref: 00CF5913
_wcsncpy.LIBCMT ref: 00CF5946
_wcsncpy.LIBCMT ref: 00CF5988
_wcsncpy.LIBCMT ref: 00CF59C2
_wcsncpy.LIBCMT ref: 00CF59F1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 30b07625ed6a3980763bdb8b5a58312b97a8366c9747217ebbf4293d8a35248a
Instruction ID: f8516d4939f6fc70208322f30590c751a7ee97d4c02317f6865f3f2a034e55ee
Opcode Fuzzy Hash: 30b07625ed6a3980763bdb8b5a58312b97a8366c9747217ebbf4293d8a35248a
Instruction Fuzzy Hash: 6F41D375C2025876CB51EBB4CC869DFB3A89F04310F518552F718E3222EB34E715E7AA

Function 00CF38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CF38D3,?), ref: 00CF48C7

Part of subcall function 00CF48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CF38D3,?), ref: 00CF48E0

lstrcmpiW.KERNEL32(?,?), ref: 00CF38F3
_wcscmp.LIBCMT ref: 00CF390F
MoveFileW.KERNEL32(?,?), ref: 00CF3927
_wcscat.LIBCMT ref: 00CF396F
SHFileOperationW.SHELL32(?), ref: 00CF39DB

Strings

\*.*, xrefs: 00CF3969

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: df25588e233be1841bd2a957e0bc7478a29fb9a2d21dae13ef9faf1e5e9cb07c
Instruction ID: f2b81521125d20825f3e8e2bc1cdea7d2d956cbbac9a36918535f1dfe9b97e38
Opcode Fuzzy Hash: df25588e233be1841bd2a957e0bc7478a29fb9a2d21dae13ef9faf1e5e9cb07c
Instruction Fuzzy Hash: 44419171508388AAC795EF64C445AEFB7ECAF88340F14092EF599C3191EA74D788C763

Function 00D17500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D17519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D175C0
IsMenu.USER32(?), ref: 00D175D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D17620
DrawMenuBar.USER32 ref: 00D17633

Strings

0, xrefs: 00D1750D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: fc57cb3dcbf6da8da8c45db6befd7ac80d4b28642f720ea22efa89595c9145d4
Instruction ID: 245b2453e858f2551b85b8e1a56f3100c15120b55045037cc183ce04b4a9e832
Opcode Fuzzy Hash: fc57cb3dcbf6da8da8c45db6befd7ac80d4b28642f720ea22efa89595c9145d4
Instruction Fuzzy Hash: 10411875A04609AFDB10DF54E884EDABBB9FB04350F048129E959973A0DB30ED90CFA0

Function 00D1122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00D1125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D11286
FreeLibrary.KERNEL32(00000000), ref: 00D1133D

Part of subcall function 00D1122D: RegCloseKey.ADVAPI32(?), ref: 00D112A3
Part of subcall function 00D1122D: FreeLibrary.KERNEL32(?), ref: 00D112F5
Part of subcall function 00D1122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00D11318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00D112E0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 3c2fa39aa582bc52a386490c2dae151a830b676cd1ca45bf2e2f2836f767cac5
Instruction ID: 9797e862fb3a28009ff9967b608529cc854454d98b0077ceb8f824af08121118
Opcode Fuzzy Hash: 3c2fa39aa582bc52a386490c2dae151a830b676cd1ca45bf2e2f2836f767cac5
Instruction Fuzzy Hash: 26314BB5901219BFDB14DF90EC89AFEB7BCEF08300F004169E611E2251EA749E859AB0

Function 00D1653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00D1655B
GetWindowLongW.USER32(01665280,000000F0), ref: 00D1658E
GetWindowLongW.USER32(01665280,000000F0), ref: 00D165C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00D165F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00D1661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00D16630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00D1664A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f615092f8fe3d92e21fdf3a02e395cd38ada91d82836cbb6fa8c027eddd29ebf
Instruction ID: 97255af1496cf20d663b7e270efdd9c374aff19733825d9d936ae4974552b0e0
Opcode Fuzzy Hash: f615092f8fe3d92e21fdf3a02e395cd38ada91d82836cbb6fa8c027eddd29ebf
Instruction Fuzzy Hash: 3831B130644250AFEB21CF58EC85F953BE2AB4A751F1942A8F911CB3B5CF61E881DB61

Function 00D06486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D080CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00D064D9
WSAGetLastError.WSOCK32(00000000), ref: 00D064E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D06521
connect.WSOCK32(00000000,?,00000010), ref: 00D0652A
WSAGetLastError.WSOCK32 ref: 00D06534
closesocket.WSOCK32(00000000), ref: 00D0655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00D06576

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1115090d0329e0a1e4f3063b7648470ca02f864355fe2e1e5ec70ffd1bb7881a
Instruction ID: f4b5b03d71aa47668c4654a8b3599843cb0820a37816a80fed12d64c75ee39de
Opcode Fuzzy Hash: 1115090d0329e0a1e4f3063b7648470ca02f864355fe2e1e5ec70ffd1bb7881a
Instruction Fuzzy Hash: 22319E71600218ABDB10AF64CC89BBE7BA9EF44720F048029F949E72D1DB74E915DAB1

Function 00CEE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CEE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CEE120
SysAllocString.OLEAUT32(00000000), ref: 00CEE123
SysAllocString.OLEAUT32 ref: 00CEE144
SysFreeString.OLEAUT32 ref: 00CEE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00CEE167
SysAllocString.OLEAUT32(?), ref: 00CEE175

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7d20daa572bc3b96540605b4b19efdfe7bae3c46a72d22fc4870efd2befba51e
Instruction ID: afc3d00092531ac245a180f67fba999303e57dd563eb4285e12e53723931aad4
Opcode Fuzzy Hash: 7d20daa572bc3b96540605b4b19efdfe7bae3c46a72d22fc4870efd2befba51e
Instruction Fuzzy Hash: 09217475604208BF9B10DFAADC88DAB77ECEB097A0B108125F955CB261DA70DD818B64

Function 00CEFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00CEFB81
__wcsnicmp.LIBCMT ref: 00CEFBA2
__wcsnicmp.LIBCMT ref: 00CEFBBC

Strings

#notrayicon, xrefs: 00CEFB79
#OnAutoItStartRegister, xrefs: 00CEFBB6
#requireadmin, xrefs: 00CEFB9C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 9f478807939c51091aef174a5a8bc4e11d6593635483d5f8ad2dcbbea4039cc5
Instruction ID: 5ae0560418f8371553c9d4b605f1663526d5e411cc76441de65c29e6123a83fb
Opcode Fuzzy Hash: 9f478807939c51091aef174a5a8bc4e11d6593635483d5f8ad2dcbbea4039cc5
Instruction Fuzzy Hash: B22137322041D1ABD230A626EC12EBB739CEF55340F34843DF89586181EB51AA83E2A1

Function 00D1783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C91D73
Part of subcall function 00C91D35: GetStockObject.GDI32(00000011), ref: 00C91D87
Part of subcall function 00C91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D178A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D178AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D178B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D178C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D178D4

Strings

Msctls_Progress32, xrefs: 00D17872

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c395af34ebb7ad96c6375ed4c7ea772e4d7b9011619eb27cf72e512ea54ab0de
Instruction ID: 8225a5024b71a59f839913e9a5b2868f29346a15887f498848c97ea1816ca5f7
Opcode Fuzzy Hash: c395af34ebb7ad96c6375ed4c7ea772e4d7b9011619eb27cf72e512ea54ab0de
Instruction Fuzzy Hash: F9118EB2250219BFEF159F60DC85EE77F6DEF08768F014115BA04A20A0CB729C61DBB0

Function 00CB41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00CB4292,?), ref: 00CB41E3
GetProcAddress.KERNEL32(00000000), ref: 00CB41EA
EncodePointer.KERNEL32(00000000), ref: 00CB41F6
DecodePointer.KERNEL32(00000001,00CB4292,?), ref: 00CB4213

Strings

RoInitialize, xrefs: 00CB41D2
combase.dll, xrefs: 00CB41DE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 7e8d5090fb654a59b5be7cad5a66d311786e9e6e71a55774d7c0976aef30a7aa
Instruction ID: 81aad09dd26cf316c190c908613db0b5d4b5800a0f7372eda022c1dd58108ede
Opcode Fuzzy Hash: 7e8d5090fb654a59b5be7cad5a66d311786e9e6e71a55774d7c0976aef30a7aa
Instruction Fuzzy Hash: D7E01AB4A90B00BEEB205BB1EC09F943AA5B72070BF508424F821D62A0DFB540D69F31

Function 00CB429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00CB41B8), ref: 00CB42B8
GetProcAddress.KERNEL32(00000000), ref: 00CB42BF
EncodePointer.KERNEL32(00000000), ref: 00CB42CA
DecodePointer.KERNEL32(00CB41B8), ref: 00CB42E5

Strings

combase.dll, xrefs: 00CB42B3
RoUninitialize, xrefs: 00CB42A7

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: ee3075df7aa7b63e906f418f82650d93795b6f4625fb5dcd4d31661005dc6d9c
Instruction ID: cae3ac81632f74b1f71ea7e085e31031a5c31a573279e08a23e36762d81ed70b
Opcode Fuzzy Hash: ee3075df7aa7b63e906f418f82650d93795b6f4625fb5dcd4d31661005dc6d9c
Instruction Fuzzy Hash: BFE0B678585B10BFEB109B70FC0DF963EA4B72474BF508024F821E12A0CFB44695EA36

Function 00CF675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF68AD
_memmove.LIBCMT ref: 00CF67E8

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

_memmove.LIBCMT ref: 00CF685B
_memmove.LIBCMT ref: 00CF6942
_memmove.LIBCMT ref: 00CF695B
_memmove.LIBCMT ref: 00CF6977

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
Instruction ID: 5b4261798bf02ce2a03ac4550d4e0da3e6b41c321afb51fb64e1597ff9f6434e
Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
Instruction Fuzzy Hash: BC61AD3050025E9BCF11FF64CC96EFE37A8EF04308F094519FA5A5B292DB349941EB91

Function 00D1046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00D110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D10038,?,?), ref: 00D110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D10548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D10588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00D105AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00D105D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00D10617
RegCloseKey.ADVAPI32(00000000), ref: 00D10624

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 8315baae728e851b121747ec22efc59e6d421973d2be92d729ab48d74622f114
Instruction ID: b0c35217be701473827ce05d1e70c5ade4e4640084589bb61eaa6e378ef9246e
Opcode Fuzzy Hash: 8315baae728e851b121747ec22efc59e6d421973d2be92d729ab48d74622f114
Instruction Fuzzy Hash: BB515831108240AFDB11EF64D885EAEBBE9FF88314F04492DF585872A1DF71E985DB62

Function 00D15A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00D15A82
GetMenuItemCount.USER32(00000000), ref: 00D15AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D15AE1
GetMenuItemID.USER32(?,?), ref: 00D15B50
GetSubMenu.USER32(?,?), ref: 00D15B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00D15BAF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: afde8613fd0082ee94d0f8c734ddc8da9c0823ae332073083db207bb0d925dba
Instruction ID: ffed412f9f11ef18ff7e27fd4233f96ec97f727c6d8eb4f075bc22205f4593a3
Opcode Fuzzy Hash: afde8613fd0082ee94d0f8c734ddc8da9c0823ae332073083db207bb0d925dba
Instruction Fuzzy Hash: 3351AF31A00615EFCF11EFA4E945AEEB7B4EF48310F1440A9E906B7351CB34AE81DBA0

Function 00CEF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CEF3F7
VariantClear.OLEAUT32(00000013), ref: 00CEF469
VariantClear.OLEAUT32(00000000), ref: 00CEF4C4
_memmove.LIBCMT ref: 00CEF4EE
VariantClear.OLEAUT32(?), ref: 00CEF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CEF569

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 5866825d9b9a194e937770dd7d8370b47a6d3780b15cc139df4338202e0eb403
Instruction ID: 8adf4981e677bcd38456bbea52dfb7ce5671f33526f0c6cedaf504436784f25d
Opcode Fuzzy Hash: 5866825d9b9a194e937770dd7d8370b47a6d3780b15cc139df4338202e0eb403
Instruction Fuzzy Hash: 535157B5A00249AFCB10CF59D884AAAB7B8FF4C314B15816DE959DB354D730EA52CBA0

Function 00CF26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CF2792
IsMenu.USER32(00000000), ref: 00CF27B2
CreatePopupMenu.USER32 ref: 00CF27E6
GetMenuItemCount.USER32(000000FF), ref: 00CF2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00CF2875

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 72df3cfc3cd2d2406936c56dfd70206a4aa16d8302b20bce22e0f166212a33c5
Instruction ID: 585686cf0c0fb3cebdc25bf5f89df0141258dc634ca5d464081905e7598c1973
Opcode Fuzzy Hash: 72df3cfc3cd2d2406936c56dfd70206a4aa16d8302b20bce22e0f166212a33c5
Instruction Fuzzy Hash: 9551A071A0034DEBDF64CF68D888ABDBBF5AF44354F104169E6259B2D1D7709A04CB52

Function 00C91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00C9179A
GetWindowRect.USER32(?,?), ref: 00C917FE
ScreenToClient.USER32(?,?), ref: 00C9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C9182C
EndPaint.USER32(?,?), ref: 00C91876

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 9c120a2c546661e202a3b2e31d6110538f354bbe0a60d16f022c1b27d6692f57
Instruction ID: 418c1c5526e2c8271e7e7bee9acf30d6fbe02427b4885025b8894bf1c4f90fc4
Opcode Fuzzy Hash: 9c120a2c546661e202a3b2e31d6110538f354bbe0a60d16f022c1b27d6692f57
Instruction Fuzzy Hash: E3418E70100301AFDB10DF65CC89FB67BE8EB59724F184668F9A4C72E1CB319945EB61

Function 00D1B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00D567B0,00000000,01665280,?,?,00D567B0,?,00D1B862,?,?), ref: 00D1B9CC
EnableWindow.USER32(00000000,00000000), ref: 00D1B9F0
ShowWindow.USER32(00D567B0,00000000,01665280,?,?,00D567B0,?,00D1B862,?,?), ref: 00D1BA50
ShowWindow.USER32(00000000,00000004,?,00D1B862,?,?), ref: 00D1BA62
EnableWindow.USER32(00000000,00000001), ref: 00D1BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00D1BAA9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1556007aa5a51fd0e5cf9a006455901ceefb8906f0f85f63bfa188ea90483c49
Instruction ID: bd3d6113c6ad50cdb1fc7a99abdb15773656df780842f7d038b4ed98307b18bd
Opcode Fuzzy Hash: 1556007aa5a51fd0e5cf9a006455901ceefb8906f0f85f63bfa188ea90483c49
Instruction Fuzzy Hash: 32414430600641BFDB21CF64D489BD57FE0BF05321F1C41AAFA488F2A2CB719886CB61

Function 00D073B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00D05134,?,?,00000000,00000001), ref: 00D073BF

Part of subcall function 00D03C94: GetWindowRect.USER32(?,?), ref: 00D03CA7

GetDesktopWindow.USER32 ref: 00D073E9
GetWindowRect.USER32(00000000), ref: 00D073F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00D07422

Part of subcall function 00CF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CF555E

GetCursorPos.USER32(?), ref: 00D0744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00D074AC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: af61fb850d7e5f3eb288c4b26987d03766f565cacd5522758ebf723a7f7151eb
Instruction ID: 193b0a96488a2f9d18594ec9beb700da592646135fc5876df978dc3c35e3625f
Opcode Fuzzy Hash: af61fb850d7e5f3eb288c4b26987d03766f565cacd5522758ebf723a7f7151eb
Instruction Fuzzy Hash: 01319272509309ABD720DF54D849F9BBBAAFF88314F004919F589D7191DA70E909CBA2

Function 00CE8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CE8608
Part of subcall function 00CE85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CE8612
Part of subcall function 00CE85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CE8621
Part of subcall function 00CE85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CE8628
Part of subcall function 00CE85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CE863E

GetLengthSid.ADVAPI32(?,00000000,00CE8977), ref: 00CE8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CE8DB8
HeapAlloc.KERNEL32(00000000), ref: 00CE8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CE8DD8
GetProcessHeap.KERNEL32(00000000,00000000,00CE8977), ref: 00CE8DEC
HeapFree.KERNEL32(00000000), ref: 00CE8DF3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 92d0bcc76aac0d262d03f1edbae6a25d82ad3555de6a860fcdd320ce451e8404
Instruction ID: bf5b9c3dd095e103eb15cab168ea8e132c1c381fcf48d5bc1cf81bdb0eb39b15
Opcode Fuzzy Hash: 92d0bcc76aac0d262d03f1edbae6a25d82ad3555de6a860fcdd320ce451e8404
Instruction Fuzzy Hash: DB11AC31901706FFDB109FA5CC09BEE7BA9EF55315F108129E899D7250CB329A49DB70

Function 00CE8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CE8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00CE8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CE8B40
CloseHandle.KERNEL32(00000004), ref: 00CE8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CE8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CE8B8E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: cb9f333d5250ec020be5a58eb69167778f8569fb3bbd7c332fffc567c8f0caa9
Instruction ID: 36820c434ca707cba1cc5998986b07196486a31eb7456bc7d781370037889c0e
Opcode Fuzzy Hash: cb9f333d5250ec020be5a58eb69167778f8569fb3bbd7c332fffc567c8f0caa9
Instruction Fuzzy Hash: 89115CB2500249BBDF01CFA5DD49FDA7BA9EF08304F044064FE08E2160CB759E65DB60

Function 00D1C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C9134D
Part of subcall function 00C912F3: SelectObject.GDI32(?,00000000), ref: 00C9135C
Part of subcall function 00C912F3: BeginPath.GDI32(?), ref: 00C91373
Part of subcall function 00C912F3: SelectObject.GDI32(?,00000000), ref: 00C9139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00D1C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00D1C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D1C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00D1C1F6
EndPath.GDI32(00000000), ref: 00D1C206
StrokePath.GDI32(00000000), ref: 00D1C216

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 1be58982477724480ee8f8113b4bf08784c582398a26e196e7f9f2532f6fb628
Instruction ID: 1a5419f5c702ae9357ef53eb13476ac9af22bab668b4751cb17260518957f9aa
Opcode Fuzzy Hash: 1be58982477724480ee8f8113b4bf08784c582398a26e196e7f9f2532f6fb628
Instruction Fuzzy Hash: AC110C7640020DBFDF119F90DC48FDA7FADEB08354F048021BA18862A1CB719E95DBA0

Function 00CEBC53 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CEBC78
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CEBC89
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CEBC90
ReleaseDC.USER32(00000000,00000000), ref: 00CEBC98
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CEBCAF
MulDiv.KERNEL32(000009EC,?,?), ref: 00CEBCC1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7f77bcf57bec0c2ad386a2e6d477af86aa39aba9abf98fb6e4164306ff5b3605
Instruction ID: 889b363ca2cc54b7b2ec2626e8cfe9a9879e96866e6d989b835b995fdb479c8d
Opcode Fuzzy Hash: 7f77bcf57bec0c2ad386a2e6d477af86aa39aba9abf98fb6e4164306ff5b3605
Instruction Fuzzy Hash: 14018475E00309BBEB109BA69D49E9EBFB8EB48711F104065FA04E7391DA309D11CFA0

Function 00CB03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00CB03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00CB03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00CB03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00CB03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00CB03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CB0401

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 37053e4f95c83bed36c928f6514957ef001b80bc510b3b554dd09cc7c44d58e0
Instruction ID: 69a586109fad822f200ec81c5742810102ffb1aa14773bf71ec9c8fc69065f5d
Opcode Fuzzy Hash: 37053e4f95c83bed36c928f6514957ef001b80bc510b3b554dd09cc7c44d58e0
Instruction Fuzzy Hash: BC016CB0901B597DE3008F5A8C85B52FFA8FF19354F00411BE15C87A41C7F5A864CBE5

Function 00CF568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CF569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CF56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00CF56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CF56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CF56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CF56E0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d8bdf8140e58bd8d3b78e00d86617e2a3dc23ddca6b1ae6f0efbf605c060ebe3
Instruction ID: 160480ca3ad034b84b9fa83e933bb5fc663b7562d75ea4e9c131d33bf5dbd705
Opcode Fuzzy Hash: d8bdf8140e58bd8d3b78e00d86617e2a3dc23ddca6b1ae6f0efbf605c060ebe3
Instruction Fuzzy Hash: 69F03032241658BBE7215BA2EC0DEEF7B7CEFC6B11F004169FA14D1261DBA11A0286B5

Function 00CF74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00CF74E5
EnterCriticalSection.KERNEL32(?,?,00CA1044,?,?), ref: 00CF74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00CA1044,?,?), ref: 00CF7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00CA1044,?,?), ref: 00CF7510

Part of subcall function 00CF6ED7: CloseHandle.KERNEL32(00000000,?,00CF751D,?,00CA1044,?,?), ref: 00CF6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00CF7523
LeaveCriticalSection.KERNEL32(?,?,00CA1044,?,?), ref: 00CF752A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f4da76ed05ded1e01803c2aa5b687fba345b342d32d722f19217299631fe808a
Instruction ID: 3460a701c7af6026dc54b5a7fd95251d44f49de1206757d333fce0b18b9ec391
Opcode Fuzzy Hash: f4da76ed05ded1e01803c2aa5b687fba345b342d32d722f19217299631fe808a
Instruction Fuzzy Hash: 5DF0BE3A040712FBDB511B24FC8CAEB372AEF04312B100231F602D01B0CFB11902CB60

Function 00CE8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CE8E7F
UnloadUserProfile.USERENV(?,?), ref: 00CE8E8B
CloseHandle.KERNEL32(?), ref: 00CE8E94
CloseHandle.KERNEL32(?), ref: 00CE8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CE8EA5
HeapFree.KERNEL32(00000000), ref: 00CE8EAC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d3588902b47937979b23799998df3364ad3bd4e8cf3a3bb0b946b5838dd8b263
Instruction ID: ef87303ab1c3b4393fa5b59281a2580ac0d2692a5cd495222b65f0f90b02acd9
Opcode Fuzzy Hash: d3588902b47937979b23799998df3364ad3bd4e8cf3a3bb0b946b5838dd8b263
Instruction Fuzzy Hash: 09E0C236104601FBDA011FE1EC0C98ABB69FB99322B108230F229C12B0CF32A462DB60

Function 00D08902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D08928
CharUpperBuffW.USER32(?,?), ref: 00D08A37
VariantClear.OLEAUT32(?), ref: 00D08BAF

Part of subcall function 00CF7804: VariantInit.OLEAUT32(00000000), ref: 00CF7844
Part of subcall function 00CF7804: VariantCopy.OLEAUT32(00000000,?), ref: 00CF784D
Part of subcall function 00CF7804: VariantClear.OLEAUT32(00000000), ref: 00CF7859

Strings

Incorrect Parameter format, xrefs: 00D08960, 00D08B22
AUTOIT.ERROR, xrefs: 00D08A3D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8d7307d0e03f731ec7dc579d312ed900ead523cddbb60538dcd00ba7f31f92de
Instruction ID: 5e1a7425eef9d7d32daab9cb01db7d5397316b8fba89f8690bfd88f86ae053f0
Opcode Fuzzy Hash: 8d7307d0e03f731ec7dc579d312ed900ead523cddbb60538dcd00ba7f31f92de
Instruction Fuzzy Hash: 109172756043019FCB10DF28C485A6BBBE4EF89314F14496EF89A8B3A1DB31D945DB62

Function 00CF2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAFEC6: _wcscpy.LIBCMT ref: 00CAFEE9

_memset.LIBCMT ref: 00CF3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CF30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CF3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CF3187

Strings

0, xrefs: 00CF3063

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9ae7fe73ce1c6fc5f9770af66b9986482b9474527be480b3e05f7a7df117011e
Instruction ID: a5f30ad92dcc422b1aae7d20a963cc26150bdd6ad65193eab8c19189da36f327
Opcode Fuzzy Hash: 9ae7fe73ce1c6fc5f9770af66b9986482b9474527be480b3e05f7a7df117011e
Instruction Fuzzy Hash: 4C51D131609384ABD7959F24D8456BFBBE4EF45320F048A2EFAA5D31A0DB70CB449753

Function 00CEDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CEDAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CEDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CEDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CEDB8E

Strings

DllGetClassObject, xrefs: 00CEDB01

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b60471b3f1546892178b494c27eb54bc21d1ec60ac03c454d6c101050e1d41b9
Instruction ID: b56062c4ec1f44cb2bb96159774d3a9804c34fe324891d781eaa24d197a579d9
Opcode Fuzzy Hash: b60471b3f1546892178b494c27eb54bc21d1ec60ac03c454d6c101050e1d41b9
Instruction Fuzzy Hash: 5B41AFB1600348EFDB05CF16C884A9ABBB9EF44350F1581A9ED06DF205E7B0DA80DBA0

Function 00CF2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CF2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00CF2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D56890,00000000), ref: 00CF2D5A

Strings

0, xrefs: 00CF2CA4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5440a7f05a01f70143c4f61ed8ad0ddb7a2016638db4cd2c64ab8e8d7d2b5d04
Instruction ID: a633d6f94b442adcc91b690765e566932b7df5c32b8ba6b6a855af840383e7f2
Opcode Fuzzy Hash: 5440a7f05a01f70143c4f61ed8ad0ddb7a2016638db4cd2c64ab8e8d7d2b5d04
Instruction Fuzzy Hash: 6341C130204306AFD720DF24C845B6ABBE8EF85320F10465DFA65972D1DB70E904CBA3

Function 00D0DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D0DAD9

Part of subcall function 00C979AB: _memmove.LIBCMT ref: 00C979F9

Strings

winapi, xrefs: 00D0DB4A
none, xrefs: 00D0DBB4
stdcall, xrefs: 00D0DB5B
cdecl, xrefs: 00D0DB30

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: e997cc99bce40dd37a572b4401040f7e835e6ebdb9a4826a0a4696aea401747f
Instruction ID: 0b0148eb850cc262904eb706de7b6ac41015375cd40477e80029e9c1f676f271
Opcode Fuzzy Hash: e997cc99bce40dd37a572b4401040f7e835e6ebdb9a4826a0a4696aea401747f
Instruction Fuzzy Hash: 1A31A470500619AFCF10EFA4CC819EEB3B5FF15310B148A6AE869A77D1DB31E905DBA0

Function 00CE9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CE93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CE9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CE9439

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Strings

ListBox, xrefs: 00CE93B5
ComboBox, xrefs: 00CE9380

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a126835cbe84bd93d4728f67f5e2e51620711dd942619b96f2763f26c9f3fd64
Instruction ID: fb401f72dd2d2516198f6ca4b476f69bacc836dd08a23d9cd69b6ab44194b5a1
Opcode Fuzzy Hash: a126835cbe84bd93d4728f67f5e2e51620711dd942619b96f2763f26c9f3fd64
Instruction Fuzzy Hash: B421E4B1A05244BFDF14ABB2DC898FFB768DF05360B144219F925972E1DF351E0AA620

Function 00D01B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D01B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D01B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00D01B96
InternetCloseHandle.WININET(00000000), ref: 00D01BDD

Part of subcall function 00D02777: GetLastError.KERNEL32(?,?,00D01B0B,00000000,00000000,00000001), ref: 00D0278C
Part of subcall function 00D02777: SetEvent.KERNEL32(?,?,00D01B0B,00000000,00000000,00000001), ref: 00D027A1

Strings

, xrefs: 00D01B87

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f33bf86bfbaf2a8eae79ed3219e90cdfcd6545e808a00671da60e20a4d290bef
Instruction ID: 4d0b7537d29d1d32cb4a92cff0cced27066d1bded39729a010c119f575bb1ba6
Opcode Fuzzy Hash: f33bf86bfbaf2a8eae79ed3219e90cdfcd6545e808a00671da60e20a4d290bef
Instruction Fuzzy Hash: AC219FB5600208BFEB119F649C85FBF77ECEB8A754F14412AF549E6280EB309D059771

Function 00D16656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C91D73
Part of subcall function 00C91D35: GetStockObject.GDI32(00000011), ref: 00C91D87
Part of subcall function 00C91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D166D0
LoadLibraryW.KERNEL32(?), ref: 00D166D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D166EC
DestroyWindow.USER32(?), ref: 00D166F4

Strings

SysAnimate32, xrefs: 00D166AB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a700242bf509018f783c9a9b998a1de663236ab8a945ee1d9eee9aca76a62bdb
Instruction ID: 71627d7b80c3df3a174a2dc9e8a05ebda045fe552c826faa89d914a0a1466dcf
Opcode Fuzzy Hash: a700242bf509018f783c9a9b998a1de663236ab8a945ee1d9eee9aca76a62bdb
Instruction Fuzzy Hash: C8218871200206BFEF108FA4EC90EEB37ADEB69368F144669FA50D21A0DB71CC919770

Function 00CF703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CF705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CF7091
GetStdHandle.KERNEL32(0000000C), ref: 00CF70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00CF70DD

Strings

nul, xrefs: 00CF70D8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: db2d3466e61697f2b31ac70b8c194df60a871de59bd1f6b43358062195bf7056
Instruction ID: 86f9ac07343386b716aa42a360fdea017d64a208b5e6b9657f9a51ede056b0f4
Opcode Fuzzy Hash: db2d3466e61697f2b31ac70b8c194df60a871de59bd1f6b43358062195bf7056
Instruction Fuzzy Hash: 8721817450430DABDF609F29DC05AAA7BB8AF44720F208719FEB0D72D0DB7099518B62

Function 00CF710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CF712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CF715D
GetStdHandle.KERNEL32(000000F6), ref: 00CF716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00CF71A8

Strings

nul, xrefs: 00CF71A3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 037add94b99600ac123342a4a025a5fb918460a1711602eac215f32b0dea439d
Instruction ID: 456f73f08e22180944631417864dfc0b98b206b140103bf6ebbfa3cb88e7d2f8
Opcode Fuzzy Hash: 037add94b99600ac123342a4a025a5fb918460a1711602eac215f32b0dea439d
Instruction Fuzzy Hash: 2021B07550430DABDB609F689C04ABEB7A8AF55330F208719FEB4D32D0DB709945CB62

Function 00CFAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CFAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CFAF13
__swprintf.LIBCMT ref: 00CFAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00D1F910), ref: 00CFAF6A

Strings

%lu, xrefs: 00CFAF26

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e4df34742cafcfef8507dc7a6e4c45e6eba83d9011b304d30e8642b7cccad460
Instruction ID: 866e81a223b05b3c2b3a4768289d25f7d052ed452f43c70f1a9fd7a4e6ef8273
Opcode Fuzzy Hash: e4df34742cafcfef8507dc7a6e4c45e6eba83d9011b304d30e8642b7cccad460
Instruction Fuzzy Hash: 09217171A00249AFCB10EF69D985DEEBBB8EF49704B004069F909EB351DB31EA45DB21

Function 00CEA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

Part of subcall function 00CEA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CEA399
Part of subcall function 00CEA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CEA3AC
Part of subcall function 00CEA37C: GetCurrentThreadId.KERNEL32 ref: 00CEA3B3
Part of subcall function 00CEA37C: AttachThreadInput.USER32(00000000), ref: 00CEA3BA

GetFocus.USER32 ref: 00CEA554

Part of subcall function 00CEA3C5: GetParent.USER32(?), ref: 00CEA3D3

GetClassNameW.USER32(?,?,00000100), ref: 00CEA59D
EnumChildWindows.USER32(?,00CEA615), ref: 00CEA5C5
__swprintf.LIBCMT ref: 00CEA5DF

Strings

%s%d, xrefs: 00CEA5D9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 754e387a017c8381fbdb2846c15f9f90b4f0f931fb3094294828b65ae8afad36
Instruction ID: 998c44b985ee928426f48154d1abdd7b87ed3065cedb399ae73ca1972aea58d4
Opcode Fuzzy Hash: 754e387a017c8381fbdb2846c15f9f90b4f0f931fb3094294828b65ae8afad36
Instruction Fuzzy Hash: 4611B4B16003487FDF11BF66DC85FEA377C9F49710F044075F908AA192CA70A9459B75

Function 00CF2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CF2048

Strings

APPEND, xrefs: 00CF2081
EXISTS, xrefs: 00CF2070
KEYS, xrefs: 00CF205F
REMOVE, xrefs: 00CF204E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 38d653a4a14dd99da53e634041cb50a6f70de399aeea0f233d55996957595954
Instruction ID: 27200007c1538ba389c716bfd7108275ea2d07a7e36680b6978d25f429949202
Opcode Fuzzy Hash: 38d653a4a14dd99da53e634041cb50a6f70de399aeea0f233d55996957595954
Instruction Fuzzy Hash: 4D1139319502099FCF40EFA8D8418FEB7B4BF15304F1085A9E865A7392EB326A06EF51

Function 00D0EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00D0EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00D0EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00D0F07E
CloseHandle.KERNEL32(?), ref: 00D0F0FF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: ab32cc72daef5355929318247af613ebfc984275787c91dea419d94f9bcb861b
Instruction ID: f89deda043611a8a5d36377dc3c617d58f2082d687490df8af62c6a4ef17af81
Opcode Fuzzy Hash: ab32cc72daef5355929318247af613ebfc984275787c91dea419d94f9bcb861b
Instruction Fuzzy Hash: EC816071604301AFDB20DF28C84AB6EB7E5EF48720F14881DF599DB2D2DBB0AC459B56

Function 00CB564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CB56AB
_memcpy_s.LIBCMT ref: 00CB571D
__read_nolock.LIBCMT ref: 00CB577B
__filbuf.LIBCMT ref: 00CB579E
_memset.LIBCMT ref: 00CB57E2

Part of subcall function 00CB8D68: __getptd_noexit.LIBCMT ref: 00CB8D68

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: d858d8bee6abe71b015a0386ad2a23af23717f7789308a0a2e1c31e2c8d71cfe
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: 38519F70B10B05DBDB249FB9C8847EE77B5AF40320F64872AF835A62D0DB719E519B40

Function 00D102C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00D110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00D10038,?,?), ref: 00D110BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00D10388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00D103C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00D1040E
RegCloseKey.ADVAPI32(?,?), ref: 00D1043A
RegCloseKey.ADVAPI32(00000000), ref: 00D10447

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 315213d0aff5a7dc8222463f9b0098129cc5fccceed70bd25d3fea10a9f1b4a0
Instruction ID: 89933575539520999c5be17e8b9c50a8c5d052ba4312eea91d90ad626f38ae04
Opcode Fuzzy Hash: 315213d0aff5a7dc8222463f9b0098129cc5fccceed70bd25d3fea10a9f1b4a0
Instruction Fuzzy Hash: 3E515C71208204AFDB04EF54D885FAEBBE8FF88304F04892DB595872A1DF70E945DB62

Function 00D0DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D0DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00D0DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00D0DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00D0DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D0DD35

Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CF7B20,?,?,00000000), ref: 00C95B8C
Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CF7B20,?,?,00000000,?,?), ref: 00C95BB0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 6423d93f8ac913b6f18c915b08260b8e970d9b930389ea1ca2bad365f5357b94
Instruction ID: d52ac05cc2b5b89ba850f211bd940ed7c9bb497433289cd065adf10aa75f96b0
Opcode Fuzzy Hash: 6423d93f8ac913b6f18c915b08260b8e970d9b930389ea1ca2bad365f5357b94
Instruction Fuzzy Hash: 45511A35A00205EFDB01EFA8C4889ADB7F5FF58310B19806AE819AB361DB71ED45DB61

Function 00CFE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CFE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00CFE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CFE8F2

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CFE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CFE91F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 38bbc8db058539dff02f96ae794ebe4ddca0a2a0e57b81778511618a70259b05
Instruction ID: 9122222cab45e1bc2e0bff61f314393f3ac995a06632dfaa9b1366189cbda4a2
Opcode Fuzzy Hash: 38bbc8db058539dff02f96ae794ebe4ddca0a2a0e57b81778511618a70259b05
Instruction Fuzzy Hash: 16511F35A00219EFCF11EF68C9859AEBBF5FF08310B148099E949AB361CB31ED11DB61

Function 00D1A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c395239ed6545897da00d89958a34c4084f2cc337e9cb2bf0d715569e1f1334b
Instruction ID: 4f5c10594cf8441fd633f5f7bb32fedfdae932087412576b265b6f985dac467e
Opcode Fuzzy Hash: c395239ed6545897da00d89958a34c4084f2cc337e9cb2bf0d715569e1f1334b
Instruction Fuzzy Hash: 0A41C135902204BBD710DBACEC48BE9BBA5EB09310F194165E869E72E1DF70ED81DA71

Function 00C92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C92357
ScreenToClient.USER32(00D567B0,?), ref: 00C92374
GetAsyncKeyState.USER32(00000001), ref: 00C92399
GetAsyncKeyState.USER32(00000002), ref: 00C923A7

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1a1cf4db56698c26879b90dc46da2459690c72034c3b56c06f7ff6617e405c7c
Instruction ID: 5f6e7fd8e26812bf35f16fe7c7bcd786b4f8f28fc90a28d614f36572ec831748
Opcode Fuzzy Hash: 1a1cf4db56698c26879b90dc46da2459690c72034c3b56c06f7ff6617e405c7c
Instruction Fuzzy Hash: B9418135504119FBDF159F69C888FEDBB78FB05360F20435AF878922A0CB359A90DBA1

Function 00CE6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00CE69A9
TranslateMessage.USER32(?), ref: 00CE69D2
DispatchMessageW.USER32(?), ref: 00CE69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE69EB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a6a2529ab0ef4a707a561e78086799d98c71e97c38cea770ce90fd93f8e7cd84
Instruction ID: f11c0d5605c88a931853b47be5d941aaf400a9ef2fd2c16c6edccfdb25c842ad
Opcode Fuzzy Hash: a6a2529ab0ef4a707a561e78086799d98c71e97c38cea770ce90fd93f8e7cd84
Instruction Fuzzy Hash: FA31C531920386AADB60CF76CC44BBA7BA8AB25385F544175E831D32A2D734D985D7B0

Function 00CE8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CE8F12
PostMessageW.USER32(?,00000201,00000001), ref: 00CE8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00CE8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00CE8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00CE8FDA

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 437e8aaa78d38d8508ecc10f73b7f249e58387c2ed02aca60a52cf13f182ab48
Instruction ID: f60e008882b9daa2b45abc74ddcedd3e226446d3dd52d61750af556306d446f2
Opcode Fuzzy Hash: 437e8aaa78d38d8508ecc10f73b7f249e58387c2ed02aca60a52cf13f182ab48
Instruction Fuzzy Hash: 2631C271500259EFDF14CFA9D94CADE7BB6FB04315F108229F929E62D0CB709A54DB50

Function 00CEB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CEB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CEB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CEB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CEB742
_wcsstr.LIBCMT ref: 00CEB74C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 3b73c4f6f05fc4f1243431004f67613b52dd59fb8420324a1ce364440b264a0e
Instruction ID: 93128bd9201049a18639e872fb278c11e28f1e98b016ca2d2a9b2d18044dc414
Opcode Fuzzy Hash: 3b73c4f6f05fc4f1243431004f67613b52dd59fb8420324a1ce364440b264a0e
Instruction Fuzzy Hash: 0421F931204384BBEB255B7AAC49EBB7B9CDF45750F108039FC05CA2A1EF61DD419670

Function 00D1B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

GetWindowLongW.USER32(?,000000F0), ref: 00D1B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00D1B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D1B489
GetSystemMetrics.USER32(00000004), ref: 00D1B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00D01184,00000000), ref: 00D1B4D0

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 50fa20cd6d37096d896beec170e54fb948099635e5f5fa42fa00d5a6287e272f
Instruction ID: 93911e244379ee6befd26b0b8aee476b112c00d0301fe50e25de88ba18b63607
Opcode Fuzzy Hash: 50fa20cd6d37096d896beec170e54fb948099635e5f5fa42fa00d5a6287e272f
Instruction Fuzzy Hash: 52218271510315BFCB108F38EC04AA53BA4EB05739B148725FD65C32E1EB30D851DB60

Function 00CE97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CE9802

Part of subcall function 00C97D2C: _memmove.LIBCMT ref: 00C97D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CE9834
__itow.LIBCMT ref: 00CE984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CE9874
__itow.LIBCMT ref: 00CE9885

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 6d52ed9964e63233fd8d9b33e0946871a254cc335ebfeb8b32db2b5608dc3541
Instruction ID: afde31c81fbafd69e21c9104020cd5dff1ffd85c7af22d134f4be0fe9f19b59d
Opcode Fuzzy Hash: 6d52ed9964e63233fd8d9b33e0946871a254cc335ebfeb8b32db2b5608dc3541
Instruction Fuzzy Hash: E821C835701384BFDF209B669C8AEEE7BA8DF4A710F044025F905DB2A1EA708D45D7A1

Function 00C912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C9134D
SelectObject.GDI32(?,00000000), ref: 00C9135C
BeginPath.GDI32(?), ref: 00C91373
SelectObject.GDI32(?,00000000), ref: 00C9139C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7d91d3c59e998249c2546bb47397e47b58dc613e5db834c60e7ab1bfb507989
Instruction ID: 439f05dee77219f5902afbc2565fe82cd9de4d71965c343d8ac3cb473cc2b3e8
Opcode Fuzzy Hash: c7d91d3c59e998249c2546bb47397e47b58dc613e5db834c60e7ab1bfb507989
Instruction Fuzzy Hash: 05210A70800305EBDF119F25DC097A97BB9BB14362F988266EC25D62F0DB71DA91DBA0

Function 00CEC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00CEC176
_memcmp.LIBCMT ref: 00CEC194
_memcmp.LIBCMT ref: 00CEC1A7
_memcmp.LIBCMT ref: 00CEC1BF
_memcmp.LIBCMT ref: 00CEC1D7

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7a3d6969958ca33b795903b5ff8829d7b33605f8c7a9236655061475d4e34af1
Instruction ID: b0b3238539c63121a80ee76234dc6493f3bf64e169c9c063debca1e0f9ad2f3a
Opcode Fuzzy Hash: 7a3d6969958ca33b795903b5ff8829d7b33605f8c7a9236655061475d4e34af1
Instruction Fuzzy Hash: 3201B5B26042557FE204A6229CD2FFF775CDB21398F484025FD1496283E654DF1692F1

Function 00CF4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CF4D5C
__beginthreadex.LIBCMT ref: 00CF4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00CF4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CF4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CF4DAC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ae62e1584a80e7705bf5befda5a35ae49d8ce83dda5f2cbd251e424e5347a157
Instruction ID: 7bacd5d763d48f0280fae62b81101fd055fd6bd73b9bff55f370dea4d2e097af
Opcode Fuzzy Hash: ae62e1584a80e7705bf5befda5a35ae49d8ce83dda5f2cbd251e424e5347a157
Instruction Fuzzy Hash: 1411E1B2904308BFC7059BA8DC08AEB7BACEB45321F148365FE24D3361DA758D4087B1

Function 00CE874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CE8766
GetLastError.KERNEL32(?,00CE822A,?,?,?), ref: 00CE8770
GetProcessHeap.KERNEL32(00000008,?,?,00CE822A,?,?,?), ref: 00CE877F
HeapAlloc.KERNEL32(00000000,?,00CE822A,?,?,?), ref: 00CE8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CE879D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 41052ebcb82356d10f3a9a7f6aec3fd27714cced706b7761a966da9de20f0a9b
Instruction ID: d050c827b800168f7e2db4819d98d8cf3fce4ccb5dd6e35dfea95ed8d0039f38
Opcode Fuzzy Hash: 41052ebcb82356d10f3a9a7f6aec3fd27714cced706b7761a966da9de20f0a9b
Instruction Fuzzy Hash: 63014671240344FFDB204FA6DC88DABBBACEF8A355B204569F899C2260DE318D05CA70

Function 00CF54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CF5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CF5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CF5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00CF5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CF555E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3b28261545257357eadcaa5fb3bf6a8d31ff7149d5fdd82af99831e24bb5dea9
Instruction ID: 1f82585f7d9965e575ea75a8dde5286b151743822b0067fedf05cda241980124
Opcode Fuzzy Hash: 3b28261545257357eadcaa5fb3bf6a8d31ff7149d5fdd82af99831e24bb5dea9
Instruction Fuzzy Hash: 7F013931C04A2DEBCF009BE9E848AEDBB78BB09701F004156EB01F2240DB30569187A2

Function 00CE7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?,?,00CE799D), ref: 00CE766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?), ref: 00CE768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?), ref: 00CE7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?), ref: 00CE76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00CE758C,80070057,?,?), ref: 00CE76B4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4ab253979d77b8319b1bac3fc55357cccabe223946739a671fea59ff484d3134
Instruction ID: 4dd5a25fd1070fde58767e65ba532002b3e6baa56810d6bdb18bec368888b0c0
Opcode Fuzzy Hash: 4ab253979d77b8319b1bac3fc55357cccabe223946739a671fea59ff484d3134
Instruction Fuzzy Hash: 5A0184B6601704BBDB109F59DC48BAE7BADEB44755F144128FD04D2321EB31DE4197B0

Function 00CE85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CE8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CE8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CE8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CE8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CE863E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 78cc0b9af608c417ee8c913aae01891af1a212e9b11eb024533c83ac7049f57e
Instruction ID: ad94d90c20b3c06fa98a891d2e98c38cf40de76dc72610bdf09a162dde829131
Opcode Fuzzy Hash: 78cc0b9af608c417ee8c913aae01891af1a212e9b11eb024533c83ac7049f57e
Instruction Fuzzy Hash: 56F04975241344BFEB100FA6DC89EAB3BACFF8A764B008529F959C6250CF619D46DA70

Function 00CE8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CE8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE869F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: aa34cb2d953a4b24ee24fbbf01c4e1fe7fdb1c3e8a6c06ba851c26e5b83c0d62
Instruction ID: 27e72debdf7f816113d7afbb38d578d20a278cffa5953308bd119259cb744beb
Opcode Fuzzy Hash: aa34cb2d953a4b24ee24fbbf01c4e1fe7fdb1c3e8a6c06ba851c26e5b83c0d62
Instruction Fuzzy Hash: 54F0C270240344BFEB111FA5EC88EA73BACEF89754B100025F959C2250CF70DE46DA70

Function 00CEC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CEC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CEC6D1
MessageBeep.USER32(00000000), ref: 00CEC6E9
KillTimer.USER32(?,0000040A), ref: 00CEC705
EndDialog.USER32(?,00000001), ref: 00CEC71F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fa634ca5ba7fb460a2ea749039b913812544521cc688c6275c5f49b2636979d4
Instruction ID: 52897a8609f0e968610e89b0522ff4e9425bb5c275a77975adf17a02fcc6ed39
Opcode Fuzzy Hash: fa634ca5ba7fb460a2ea749039b913812544521cc688c6275c5f49b2636979d4
Instruction Fuzzy Hash: 4A01AD70510744ABEB209F21DC8EFA67BB8FF00701F004669F592E11E0EFE0AA568F90

Function 00C913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C913BF
StrokeAndFillPath.GDI32(?,?,00CCBAD8,00000000,?), ref: 00C913DB
SelectObject.GDI32(?,00000000), ref: 00C913EE
DeleteObject.GDI32 ref: 00C91401
StrokePath.GDI32(?), ref: 00C9141C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 71a08d6c053dceaebbeaab23267bd70d37c4797747dee910ccae49fba47085a5
Instruction ID: 7bf810f2e755b032086d1049593d70756a795a3ca8fab2b667b407132b7ceba6
Opcode Fuzzy Hash: 71a08d6c053dceaebbeaab23267bd70d37c4797747dee910ccae49fba47085a5
Instruction Fuzzy Hash: 64F0B630004709ABDB115F26EC0D7983FA5A725326F88C224ED3AC62F1CB318A96DF70

Function 00CFC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CFC69D
CoCreateInstance.OLE32(00D22D6C,00000000,00000001,00D22BDC,?), ref: 00CFC6B5

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

CoUninitialize.OLE32 ref: 00CFC922

Strings

.lnk, xrefs: 00CFC631, 00CFC659, 00CFC663

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: eb1ea1e529b4b631c9e9bd11193f6a05b05e9624eba71beb91f23e7359470753
Instruction ID: 2feb2f8d2418ce5f3fe342771bb257eda1defc49fbf05cb914d4bc9e41eb2d4d
Opcode Fuzzy Hash: eb1ea1e529b4b631c9e9bd11193f6a05b05e9624eba71beb91f23e7359470753
Instruction Fuzzy Hash: C3A12A71118205AFD700EF54C885EAFB7E8FF98714F00492CF156971A2EB71EA49DB62

Function 00CA2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00CB0FF6: std::exception::exception.LIBCMT ref: 00CB102C
Part of subcall function 00CB0FF6: __CxxThrowException@8.LIBCMT ref: 00CB1041

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00C97BB1: _memmove.LIBCMT ref: 00C97C0B

__swprintf.LIBCMT ref: 00CA302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00CA2EC6

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ca54e111f607156795d341e74e3e69ff38e03873e48e0ef6e84f970a611290da
Instruction ID: f91f626911c808aa99d0deac42e97db46856825b876fbe01fbb392006eee9cae
Opcode Fuzzy Hash: ca54e111f607156795d341e74e3e69ff38e03873e48e0ef6e84f970a611290da
Instruction Fuzzy Hash: 8891BE711087429FCB18EF68D899C6FB7A4EF95704F00491EF5929B2A1DB30EE44EB52

Function 00CFBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C948A1,?,?,00C937C0,?), ref: 00C948CE

CoInitialize.OLE32(00000000), ref: 00CFBC26
CoCreateInstance.OLE32(00D22D6C,00000000,00000001,00D22BDC,?), ref: 00CFBC3F
CoUninitialize.OLE32 ref: 00CFBC5C

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

Strings

.lnk, xrefs: 00CFBC08, 00CFBC16

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 24ca9dc264f891f30105c07094e787f5b6098e86f402c266b659a89b08d4b6b8
Instruction ID: acc4a83a37fb5d50fef40b2282303e0acfc3786e3c6262a79dbc5e5adc365c88
Opcode Fuzzy Hash: 24ca9dc264f891f30105c07094e787f5b6098e86f402c266b659a89b08d4b6b8
Instruction Fuzzy Hash: 78A123756043059FCB04DF18C888D6ABBE5FF88314F158998F9A99B3A1CB31ED45CB92

Function 00CB524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CB52DD

Part of subcall function 00CC0340: __87except.LIBCMT ref: 00CC037B

Strings

pow, xrefs: 00CB52B5, 00CB52D2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: a4bacd39364c10f79ca5c95e54c2f05bd966f8a9d4f68a6c55766f6c5cb622e0
Instruction ID: 2bc732d18523149d2537062a1a2406963b725b0a0ca4a3c06e1fd2c616ff1bf7
Opcode Fuzzy Hash: a4bacd39364c10f79ca5c95e54c2f05bd966f8a9d4f68a6c55766f6c5cb622e0
Instruction Fuzzy Hash: 9B516821E0EB01C7CB25B724C941BBF2BD49B00750F344D5CE5A5823FAEE748EC4AA56

Function 00CB023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00CB0277
#, xrefs: 00CB0280

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: b1c605fec59d85d70cb29fc0828112d4181cef4c0f23857e242489d32a015b67
Instruction ID: f7ae8f4d9f8f68e98976ae333106421b4b99d4d426222225e07c8370f6d8a593
Opcode Fuzzy Hash: b1c605fec59d85d70cb29fc0828112d4181cef4c0f23857e242489d32a015b67
Instruction Fuzzy Hash: 28513375505286DFCF15DF2AC8886FE7BA4EF26310F284055ECA19B2A0D7349F46CB60

Function 00CA62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CA63A8
_memmove.LIBCMT ref: 00CA6446
_memset.LIBCMT ref: 00CA646A

Strings

ERCP, xrefs: 00CA6313

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 81f536bee3acca33df6a2cfe46d5e0ab57569af4d505d1f62e938efc0e4571d6
Instruction ID: 41a88ea44b862f1d7d379d49b92a342f25e4eff0d6ee456ccdf799badec3006e
Opcode Fuzzy Hash: 81f536bee3acca33df6a2cfe46d5e0ab57569af4d505d1f62e938efc0e4571d6
Instruction Fuzzy Hash: 9251B27190070ADBDB24CF65C8817AABBF4EF08714F28856EE95ACB241E771DA94CB50

Function 00CE9CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CE9778,?,?,00000034,00000800,?,00000034), ref: 00CF19F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CE9D21

Part of subcall function 00CF1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CE97A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00CF19C1

Part of subcall function 00CF18EE: GetWindowThreadProcessId.USER32(?,?), ref: 00CF1919
Part of subcall function 00CF18EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CE973C,00000034,?,?,00001004,00000000,00000000), ref: 00CF1929
Part of subcall function 00CF18EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CE973C,00000034,?,?,00001004,00000000,00000000), ref: 00CF193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CE9D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CE9DDB

Strings

@, xrefs: 00CE9DF3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ca451f4256ab16047fc8919d4fe3ba4723b577adc8aa4aa9ef4be80b4c77ce0a
Instruction ID: 95ac9d3c75ba107fedde3c17975872cfe8794e6729ccb11ec9fa62c6e259c8b0
Opcode Fuzzy Hash: ca451f4256ab16047fc8919d4fe3ba4723b577adc8aa4aa9ef4be80b4c77ce0a
Instruction Fuzzy Hash: A0414B76A0021DBFDB10DBA4CC81BEEBBB8EB09300F044095FA55B7191DA706F85DBA1

Function 00D17BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D1F910,00000000,?,?,?,?), ref: 00D17C4E
GetWindowLongW.USER32 ref: 00D17C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D17C7B

Strings

SysTreeView32, xrefs: 00D17C20

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 027301add0d58a2f01584ca6cdeef383dfc9afb9850c1e2ebc2c2860187be792
Instruction ID: 6c02016e52e25d62d3b6e385073f76f8a8561bf3b3363a067e7221fc1a3300ab
Opcode Fuzzy Hash: 027301add0d58a2f01584ca6cdeef383dfc9afb9850c1e2ebc2c2860187be792
Instruction Fuzzy Hash: 12318031244205BFDB119F34EC45BDA77AAEB59324F244725F875D32E0DB31E8919BA0

Function 00D17648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D176D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D176E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00D17708

Strings

SysMonthCal32, xrefs: 00D1769B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: a5ad25bbbc29efd2da041d6a3a75b19de11c950f87158058af430b8defb2cea2
Instruction ID: 9ad6e485ef57c16090ee8861ac9dcaafc5e82bbf28f23d8cd9926cbaf9f3289d
Opcode Fuzzy Hash: a5ad25bbbc29efd2da041d6a3a75b19de11c950f87158058af430b8defb2cea2
Instruction Fuzzy Hash: 1621BF32640219BBDF11CF64DC46FEA3B79EB58724F150214FE15AB1E0DAB1A8919BA0

Function 00D16F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D16FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D16FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D16FDF

Strings

Listbox, xrefs: 00D16F77

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: e53155244347437ffeb911f368387a93a63c4300454675678cb4606055a1c7ba
Instruction ID: c7273c96166eb72ab58cf57ae9440bdc6454ca54f647456ab1cc36d1fa77b733
Opcode Fuzzy Hash: e53155244347437ffeb911f368387a93a63c4300454675678cb4606055a1c7ba
Instruction Fuzzy Hash: 51216232611218BFDF118F54EC85EEB37AAEF89764F158124F9149B190CA71EC92DBB0

Function 00D1797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D179E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D179F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D17A03

Strings

msctls_trackbar32, xrefs: 00D179B8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: efb94771be64a8028e4a47c864a2eb5205a809beab3a12eaea273f06669c4bad
Instruction ID: 8db35a6037253445115f77857e4504e0c782e6c4ccea7319c8970a46287678a8
Opcode Fuzzy Hash: efb94771be64a8028e4a47c864a2eb5205a809beab3a12eaea273f06669c4bad
Instruction Fuzzy Hash: 9711E372244208BBEF109F70DC05FEB37A9EF89B64F154519FA45A60A0DA71D891DB70

Function 00C94C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C94C2E), ref: 00C94CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C94CB5

Strings

GetNativeSystemInfo, xrefs: 00C94CAF
kernel32.dll, xrefs: 00C94C9E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 7f23c40259c112724b79f2c08d80a2ac9ce2945317442a0640fd71a2b9c94a44
Instruction ID: 41c968c05d320164f6174b078f8f9f26cbdaf750fcec8cd4cdc0139ae8abb550
Opcode Fuzzy Hash: 7f23c40259c112724b79f2c08d80a2ac9ce2945317442a0640fd71a2b9c94a44
Instruction Fuzzy Hash: C3D0C730600723EFCB208F30EA08A8272E4AF00780B10C83A989AC2250EA70C8C0CA20

Function 00C94D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C94CE1,?), ref: 00C94DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C94DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C94DAE
kernel32.dll, xrefs: 00C94D9D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 2df4932cb416a5a3f1101e6eddb9f331a83eac8ab6721be033a8c9b480d10e56
Instruction ID: 06c634d99073c9886801cb658468bdbb2d55543089d4506981c93102e94d0f9e
Opcode Fuzzy Hash: 2df4932cb416a5a3f1101e6eddb9f331a83eac8ab6721be033a8c9b480d10e56
Instruction Fuzzy Hash: 0DD01776564713EFEB209F31E808A8676E4AF05355B11C83AD8D6D6250EB74D8C1CA60

Function 00C94D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C94D2E,?,00C94F4F,?,00D562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C94D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C94D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C94D7B
kernel32.dll, xrefs: 00C94D6A

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1bfd2ac8a73581e2102d95e6382b5cdbb4e4d72382d6c5b1a653c2ddb87aeac4
Instruction ID: 98092e6ed88d656753c0d43f585da0958ff1facef65c56578c3ad5be4533d969
Opcode Fuzzy Hash: 1bfd2ac8a73581e2102d95e6382b5cdbb4e4d72382d6c5b1a653c2ddb87aeac4
Instruction Fuzzy Hash: D9D0C732500713EFEB208F30E808A8272E8BF00352B10C93A9496C2350EB70C8C0CA20

Function 00D11072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00D112C1), ref: 00D11080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00D11092

Strings

RegDeleteKeyExW, xrefs: 00D1108C
advapi32.dll, xrefs: 00D1107B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1aeae879e1fe406a30c6649a6c5e12a63b5ade5d2ff7183341e42a56094ba146
Instruction ID: 2f22db83c04dd99ff5abe5c4758752f083393cb8feb941fa272cf195a32eaeb3
Opcode Fuzzy Hash: 1aeae879e1fe406a30c6649a6c5e12a63b5ade5d2ff7183341e42a56094ba146
Instruction Fuzzy Hash: 34D01235910B12EFD7205F35D85869676E4AF19361B55CC3AA489DA250DBB0C4C0C670

Function 00D093F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00D09009,?,00D1F910), ref: 00D09403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00D09415

Strings

kernel32.dll, xrefs: 00D093FE
GetModuleHandleExW, xrefs: 00D0940F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8aaac123c8df311eca4b25d111bdac142dcae9ea7413ef16fb170001cf2c44ad
Instruction ID: f08e457cc0eb309f320ffbefc09d4e011b3409615fdca1fb82440cbccc225345
Opcode Fuzzy Hash: 8aaac123c8df311eca4b25d111bdac142dcae9ea7413ef16fb170001cf2c44ad
Instruction Fuzzy Hash: DDD0C734504723EFC7208F30EA08282B2E4AF00341B04C83AA88AC2690EA70C8C0CA30

Function 00CD1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CD1B42
__swprintf.LIBCMT ref: 00CD1B73

Strings

%.3d, xrefs: 00CD1B4D
WIN_XPe, xrefs: 00CD1BB2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 5b9bf61a7cb45af8a3ad5cddc275360a0e0ffc842cf0e1822bb766fe359a2c53
Instruction ID: 7212a90187da7e313eed89ed566802a84ff35274820d005a878be16841ac3561
Opcode Fuzzy Hash: 5b9bf61a7cb45af8a3ad5cddc275360a0e0ffc842cf0e1822bb766fe359a2c53
Instruction Fuzzy Hash: ABD017F1C04218FBCB04AB929C84CFA737CAB08301F180593FE02E6240F3759B85AB26

Function 00CE76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f2224f7e9e80cb75cde5cf02f3e4771986aed705447fbca98fcc56fd571889
Instruction ID: 2d432e45c53b089225f6c4162cd68a6fae95f955f4317589ded93b75ab3f0d56
Opcode Fuzzy Hash: 08f2224f7e9e80cb75cde5cf02f3e4771986aed705447fbca98fcc56fd571889
Instruction Fuzzy Hash: 27C19175A04256EFCB14CF95C888EAEBBF5FF48710B118698E815EB251D730EE81DB90

Function 00D0E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00D0E3D2
CharLowerBuffW.USER32(?,?), ref: 00D0E415

Part of subcall function 00D0DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00D0DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00D0E615
_memmove.LIBCMT ref: 00D0E628

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 6897a56c4e5f1590cd30fb48ee51be29ca854e3b653716197ac52e1a52cd518e
Instruction ID: 4330a9051cc095bb6b6c7d26b25cf504561c92df15f87426ae43ca95a826179a
Opcode Fuzzy Hash: 6897a56c4e5f1590cd30fb48ee51be29ca854e3b653716197ac52e1a52cd518e
Instruction Fuzzy Hash: D0C15B716083019FCB14DF28C484A6ABBE4FF88714F188D6DF8999B391D731E946CB92

Function 00D083A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00D083D8
CoUninitialize.OLE32 ref: 00D083E3

Part of subcall function 00CEDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CEDAC5

VariantInit.OLEAUT32(?), ref: 00D083EE
VariantClear.OLEAUT32(?), ref: 00D086BF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 557c777f8f72b456b7178e60eb410bd7acc4008ba915d771c83603ee8c22ab98
Instruction ID: 305ca1151e9a39295761b3f80843c91351f243d7d57592a65696ecb8957a5431
Opcode Fuzzy Hash: 557c777f8f72b456b7178e60eb410bd7acc4008ba915d771c83603ee8c22ab98
Instruction Fuzzy Hash: 61A1F2752047019FCB10DF18C885B2AB7E5FF88314F19854CF99A9B3A2CB30E904EB66

Function 00CE7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D22C7C,?), ref: 00CE7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D22C7C,?), ref: 00CE7C4A
CLSIDFromProgID.OLE32(?,?,00000000,00D1FB80,000000FF,?,00000000,00000800,00000000,?,00D22C7C,?), ref: 00CE7C6F
_memcmp.LIBCMT ref: 00CE7C90

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8b562944ac7c3c468aa314c1d2127a95633d244b00330d6cf22072a40b956f43
Instruction ID: 7f9b097d13d749c8a3ad2a11595fb0484d8dfe81a099919a972e0dc2f1a6dd12
Opcode Fuzzy Hash: 8b562944ac7c3c468aa314c1d2127a95633d244b00330d6cf22072a40b956f43
Instruction Fuzzy Hash: E4810C71A00209EFCB04DF95C988EEEB7B9FF89315F204198F515AB250DB71AE46CB60

Function 00CE6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CE6E04
SysAllocString.OLEAUT32(00000000), ref: 00CE6EAD
VariantCopy.OLEAUT32 ref: 00CE6EDC
VariantClear.OLEAUT32(?), ref: 00CE6F03

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9d4e642aaedcb823b0688917d17719fb6c74108089cbae9b16c8444dbe566397
Instruction ID: 92dea5847b786f256238ddd0326212c12e1b31a40465a890c0ca3681111676b5
Opcode Fuzzy Hash: 9d4e642aaedcb823b0688917d17719fb6c74108089cbae9b16c8444dbe566397
Instruction Fuzzy Hash: AD51DB316143819BDB209FABD895B7EF3E4EF54310F20891FE596CB291DF709940AB11

Function 00D19A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01670C68,?), ref: 00D19AD2
ScreenToClient.USER32(00000002,00000002), ref: 00D19B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00D19B72

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 04a49cbd3ba8099201a8d9aaf1f2959fa98659ea4d791006ed234ef7fac6943c
Instruction ID: 00985684cfe0e43513199182ffbc6f691e9d2b1248e6ad4a0b0574124814b578
Opcode Fuzzy Hash: 04a49cbd3ba8099201a8d9aaf1f2959fa98659ea4d791006ed234ef7fac6943c
Instruction Fuzzy Hash: E3510D34A04209AFCF10DF64E9A19EEBBB6FF55360F148259F8559B290DB30AD81CB60

Function 00D06CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00D06CE4
WSAGetLastError.WSOCK32(00000000), ref: 00D06CF4

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00D06D58
WSAGetLastError.WSOCK32(00000000), ref: 00D06D64

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b04cec8f5c19eb7a4629196b80634f83fee91f97244d2c76ce00943172b57eb1
Instruction ID: e94014ea976e176c3f2f15dac4a15f114b3f0c3558ef99f3c1e97b488c108004
Opcode Fuzzy Hash: b04cec8f5c19eb7a4629196b80634f83fee91f97244d2c76ce00943172b57eb1
Instruction Fuzzy Hash: E1418274740200AFEB20AF28DC8AF7E77A5DF05B14F44801CFA59DB2D2DA759D0197A1

Function 00D0672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00D1F910), ref: 00D067BA
_strlen.LIBCMT ref: 00D067EC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 28bb70395a69deba148c386cfc596f444c3a7a56374143ccc4b9cf0f58fa8809
Instruction ID: 75cd08a4b78b225bd63ade1b6d86f49258e303c6eefad825df5f4b30eb6cd5c4
Opcode Fuzzy Hash: 28bb70395a69deba148c386cfc596f444c3a7a56374143ccc4b9cf0f58fa8809
Instruction Fuzzy Hash: C1417131A00104AFCB14EBA4DCD5FAEB3A9EF48314F148169F91A972D1DB30ED14D760

Function 00CFBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CFBB09
GetLastError.KERNEL32(?,00000000), ref: 00CFBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CFBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CFBB80

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 165504a1f5fda182030c3868e50ee78c9bbe99ea5f86d11f22dd1f45f4f7edba
Instruction ID: ff800f017443fedffa75e509ccb937dbb9bd4b4655d8e752f7819203ca4fa624
Opcode Fuzzy Hash: 165504a1f5fda182030c3868e50ee78c9bbe99ea5f86d11f22dd1f45f4f7edba
Instruction Fuzzy Hash: 8E412939200614DFCF10EF19C588A6DBBE5EF49310B098498ED5A9B362CB34FD01EB92

Function 00D18AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00D18B4D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5c4aa88e69eae64e8a75c118c8e5fbb3e1414143067652bc91ddc9f5049fa805
Instruction ID: 482581421ad7d5abef20e0093e42ba0f3cd0083f6bc0e21210ce20d6303f2897
Opcode Fuzzy Hash: 5c4aa88e69eae64e8a75c118c8e5fbb3e1414143067652bc91ddc9f5049fa805
Instruction Fuzzy Hash: 093190B4648304BFEF20DB18ED85BE937A5EB05310F688616FA55D62E1CE30E9C0A771

Function 00D1ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00D1AE1A
GetWindowRect.USER32(?,?), ref: 00D1AE90
PtInRect.USER32(?,?,00D1C304), ref: 00D1AEA0
MessageBeep.USER32(00000000), ref: 00D1AF11

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6047539c5e36273bb44a9a701849cbcffc76fb2e46747ab41f42affa51a100b0
Instruction ID: fd3fb7b388945a54e26525b4d0f27075d1c1c2943d170c03c6fe60bd1070ef1b
Opcode Fuzzy Hash: 6047539c5e36273bb44a9a701849cbcffc76fb2e46747ab41f42affa51a100b0
Instruction Fuzzy Hash: 9D414A70601219AFCB11CF58E884AA97BF5FF49351F1881A9F814DB351DB30E982DB72

Function 00CF0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00CF1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00CF1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00CF10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00CF110B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 01b595d5a412e9bb355d7b1c0111535a424c3514c809a28d9cedd0492553bd9d
Instruction ID: e67b528d58386f69535a7ce8cfca5f952db983ff41f181394a04167104935908
Opcode Fuzzy Hash: 01b595d5a412e9bb355d7b1c0111535a424c3514c809a28d9cedd0492553bd9d
Instruction Fuzzy Hash: 69313D30E4065CEEFB748B66CC057F9BBA9AB44310F1C421AEB60921D1CB744AC19753

Function 00CF1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00CF1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CF1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CF11F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00CF1243

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 26ed74fb0877303465820dbc3870fdbe98fd311d5b15fc99cb27d3bc31bc855c
Instruction ID: 4aad032a496d3ebd4413f9812a26272915324cd3cb3324295f46c7ca2eb7ff70
Opcode Fuzzy Hash: 26ed74fb0877303465820dbc3870fdbe98fd311d5b15fc99cb27d3bc31bc855c
Instruction Fuzzy Hash: 8931093094071CEAFF618BA6C8147FE7BAAAB45310F1C831AEBA0921D1C3749A559753

Function 00CC6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00CC644B
__isleadbyte_l.LIBCMT ref: 00CC6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CC64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00CC64DD

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4947f01ed24629437f540389dda796d69bc156f13fb5e87552a8b4a4ea7e3345
Instruction ID: 2f56e344c37017ab4b59d1ba3f9886476a6e11f87c420c0e6824dbff5ff4d799
Opcode Fuzzy Hash: 4947f01ed24629437f540389dda796d69bc156f13fb5e87552a8b4a4ea7e3345
Instruction Fuzzy Hash: 9A31BE31600246AFDB29CF75CA45FAA7BA9FF40310F15442DF864871A1EB31D991DB90

Function 00D15175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00D15189

Part of subcall function 00CF387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CF3897
Part of subcall function 00CF387D: GetCurrentThreadId.KERNEL32 ref: 00CF389E
Part of subcall function 00CF387D: AttachThreadInput.USER32(00000000,?,00CF52A7), ref: 00CF38A5

GetCaretPos.USER32(?), ref: 00D1519A
ClientToScreen.USER32(00000000,?), ref: 00D151D5
GetForegroundWindow.USER32 ref: 00D151DB

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 181872c369e4224f88f8558a4feafbbc39e3cc32ee30355170c3f775acf28f05
Instruction ID: eeaa354b7f23667a901f96392be4d891325bd178db7f9e067914eda8b56c967a
Opcode Fuzzy Hash: 181872c369e4224f88f8558a4feafbbc39e3cc32ee30355170c3f775acf28f05
Instruction Fuzzy Hash: 1A313E71D00208AFDB00EFA9C8899EFB7FDEF98300F10406AE415E7251EA759E45DBA1

Function 00D1C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

GetCursorPos.USER32(?), ref: 00D1C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CCBBFB,?,?,?,?,?), ref: 00D1C7D7
GetCursorPos.USER32(?), ref: 00D1C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CCBBFB,?,?,?), ref: 00D1C85E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 248ca60a1bac5a4f47dd60bbb24b1e7f9a959c1854517d68ff261c5e5db4d5f2
Instruction ID: 6189c7a704c2a2e80e7443dd982b233e457b510851799403646139b8ff7d3e68
Opcode Fuzzy Hash: 248ca60a1bac5a4f47dd60bbb24b1e7f9a959c1854517d68ff261c5e5db4d5f2
Instruction Fuzzy Hash: 8C318D35600118FFDB15CF58D898EEA7BBAEB49310F484169F9458B2A2CB319D91DFB0

Function 00CB0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00CB0BF2

Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CF7B20,?,?,00000000), ref: 00C95B8C
Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CF7B20,?,?,00000000,?,?), ref: 00C95BB0

_fprintf.LIBCMT ref: 00CB0C29
OutputDebugStringW.KERNEL32(?), ref: 00CE6331

Part of subcall function 00CB4CDA: _flsall.LIBCMT ref: 00CB4CF3

__setmode.LIBCMT ref: 00CB0C5E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 7b9084e3f2c44d0a78fbe4328bc079d82e095cc06a26a0d92fe3e49b697a3813
Instruction ID: de316282d317563570edd4c49665e14054f20131303d713f3054c02f73e97686
Opcode Fuzzy Hash: 7b9084e3f2c44d0a78fbe4328bc079d82e095cc06a26a0d92fe3e49b697a3813
Instruction Fuzzy Hash: B8112731908608BFCB09B3B59C479FE7B6C9F41320F240119F20497193DF705D45A3A6

Function 00CE8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CE8669
Part of subcall function 00CE8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8673
Part of subcall function 00CE8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8682
Part of subcall function 00CE8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE8689
Part of subcall function 00CE8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CE869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CE8BEB
_memcmp.LIBCMT ref: 00CE8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CE8C44
HeapFree.KERNEL32(00000000), ref: 00CE8C4B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 70abbce72f7435b07f9dba790f2dcbebc9440d22b28baae77088da20ecedda44
Instruction ID: dd20305701778a7addc586aff9e0143bad3e94aeb1009b67b2782048e5e73ef6
Opcode Fuzzy Hash: 70abbce72f7435b07f9dba790f2dcbebc9440d22b28baae77088da20ecedda44
Instruction Fuzzy Hash: 5221AE71E01208EFCB10CFA5C944BEEB7B8FF45344F148099E968A7240DB30AE4ACB60

Function 00D01A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00D01A97

Part of subcall function 00D01B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00D01B40
Part of subcall function 00D01B21: InternetCloseHandle.WININET(00000000), ref: 00D01BDD

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 270b118482f57cf8900c6d00ca8d58ea21a16a527ffd09c3c326733367f0c08a
Instruction ID: 8da20047599d8257cc6282d5c9269b642bdb9d1d8d5ef1dc4af9cbd9b96eac04
Opcode Fuzzy Hash: 270b118482f57cf8900c6d00ca8d58ea21a16a527ffd09c3c326733367f0c08a
Instruction Fuzzy Hash: B6219F39201601BFDB169F608C05FBAB7ADFF85701F14401AFA59966D1EB71D811DBB0

Function 00CEE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CEF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00CEE1C4,?,?,?,00CEEFB7,00000000,000000EF,00000119,?,?), ref: 00CEF5BC
Part of subcall function 00CEF5AD: lstrcpyW.KERNEL32(00000000,?,?,00CEE1C4,?,?,?,00CEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CEF5E2
Part of subcall function 00CEF5AD: lstrcmpiW.KERNEL32(00000000,?,00CEE1C4,?,?,?,00CEEFB7,00000000,000000EF,00000119,?,?), ref: 00CEF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00CEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CEE1DD
lstrcpyW.KERNEL32(00000000,?,?,00CEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CEE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CEEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00CEE237

Strings

cdecl, xrefs: 00CEE22E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 703f9968e98e082de1b7e7f7fa17266c3a0cd4ca43add6da4b5a111f5b6ce424
Instruction ID: e72a70bc6817ce0e122d6189b3df3d83dafe12ca8355cc70277a519ffae17806
Opcode Fuzzy Hash: 703f9968e98e082de1b7e7f7fa17266c3a0cd4ca43add6da4b5a111f5b6ce424
Instruction Fuzzy Hash: C1119036200385FFCB25AF65DC45DBA77B8FF85350B40802AF916CB260EB719951D7A1

Function 00CC5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00CC5351

Part of subcall function 00CB594C: __FF_MSGBANNER.LIBCMT ref: 00CB5963
Part of subcall function 00CB594C: __NMSG_WRITE.LIBCMT ref: 00CB596A
Part of subcall function 00CB594C: RtlAllocateHeap.NTDLL(01650000,00000000,00000001,00000000,?,?,?,00CB1013,?), ref: 00CB598F

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: de3ece76005a1fa2b3312953875d627dc0259ca6bad589f7e1fb40a9f252c46e
Instruction ID: 274d8d8b593d08adc6b601da1e371e96ebcc8ee439808cadc7640a58267f2745
Opcode Fuzzy Hash: de3ece76005a1fa2b3312953875d627dc0259ca6bad589f7e1fb40a9f252c46e
Instruction Fuzzy Hash: BC11A732504B56AFCB312FB0EC45BAD3798AF103A0F18452EF955DA1B1DE719AC1E760

Function 00C94531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C94560

Part of subcall function 00C9410D: _memset.LIBCMT ref: 00C9418D
Part of subcall function 00C9410D: _wcscpy.LIBCMT ref: 00C941E1
Part of subcall function 00C9410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C941F1

KillTimer.USER32(?,00000001,?,?), ref: 00C945B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C945C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CCD6CE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 15d870d06b0eac4d4b4ad19bccad527bedb889458b68cc714ee2238ecd859352
Instruction ID: 7599a15a99a42e1472d35fee80214ed0d7544e4862912c186269dca9794db333
Opcode Fuzzy Hash: 15d870d06b0eac4d4b4ad19bccad527bedb889458b68cc714ee2238ecd859352
Instruction Fuzzy Hash: AD21A770904784AFEB328B64DC59FEBBBEC9F01305F04049EE69E96281C7745A85DB51

Function 00D0667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00CF7B20,?,?,00000000), ref: 00C95B8C
Part of subcall function 00C95B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00CF7B20,?,?,00000000,?,?), ref: 00C95BB0

gethostbyname.WSOCK32(?,?,?), ref: 00D066AC
WSAGetLastError.WSOCK32(00000000), ref: 00D066B7
_memmove.LIBCMT ref: 00D066E4
inet_ntoa.WSOCK32(?), ref: 00D066EF

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 10c3ea6f961732e26a6622a47a98c425ed6df509b35ab19505466ceaaf79e0e5
Instruction ID: dd6bd35e7340ed651e2179fc24214f6d7f0066186559b888aae35177c9263fa6
Opcode Fuzzy Hash: 10c3ea6f961732e26a6622a47a98c425ed6df509b35ab19505466ceaaf79e0e5
Instruction Fuzzy Hash: 9C116075900508AFCF01FBA4DD8ADEEB7B8EF18310B144069F506A72A1DF30AE14EB61

Function 00CE9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CE9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CE9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CE906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CE9086

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a80d038f470915530adb2a5e3fef38b022a6e220742e371c3322fe41e8aa1142
Instruction ID: 53b2d1ab9c35963f9b38fd75f186bb1b4e863bb4a8f357c6aedcea699d338869
Opcode Fuzzy Hash: a80d038f470915530adb2a5e3fef38b022a6e220742e371c3322fe41e8aa1142
Instruction Fuzzy Hash: 0D115E79900218FFDB10DFA5CC84E9DFB74FB48310F204095E904B7250D6716E50DB90

Function 00C91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00C92612: GetWindowLongW.USER32(?,000000EB), ref: 00C92623

DefDlgProcW.USER32(?,00000020,?), ref: 00C912D8
GetClientRect.USER32(?,?), ref: 00CCB84B
GetCursorPos.USER32(?), ref: 00CCB855
ScreenToClient.USER32(?,?), ref: 00CCB860

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fbe7daeda8a0023e4e320e52d28bd54474fc1d14b890e7a72c1be78898890fe5
Instruction ID: 6073879e2aa82eee38646f2f814b5e7394fd36a4dfcb47cdea48b4b0aeea12f3
Opcode Fuzzy Hash: fbe7daeda8a0023e4e320e52d28bd54474fc1d14b890e7a72c1be78898890fe5
Instruction Fuzzy Hash: 44113A35A0051ABFCF00EF98D88A9EE7BB9EB05301F4044A5F951E7251CB30BA529BB5

Function 00CF1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CF01FD,?,00CF1250,?,00008000), ref: 00CF166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00CF01FD,?,00CF1250,?,00008000), ref: 00CF1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00CF01FD,?,00CF1250,?,00008000), ref: 00CF169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00CF01FD,?,00CF1250,?,00008000), ref: 00CF16D1

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fc2aa2a76cf7a8e6843e46e0d13bace97a6e6e2dfccb436bcc66a2d5393dcd5a
Instruction ID: 0d065a1d014ffaafcc9762577541b50cedd4d820f083b10db2b803467b326162
Opcode Fuzzy Hash: fc2aa2a76cf7a8e6843e46e0d13bace97a6e6e2dfccb436bcc66a2d5393dcd5a
Instruction Fuzzy Hash: E8111831C1461DEBCF009FA6D949AFEBB78FF19751F094159EE40F6240CB3096A18BA6

Function 00CC7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00CC722B

Part of subcall function 00CC7912: __fltout2.LIBCMT ref: 00CC793B

__cftog_l.LIBCMT ref: 00CC7251
__cftoe_l.LIBCMT ref: 00CC7283

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: aec7bf98249a54666dbea333a4a3dc54c566e4f4c5abaa358ff8fb27fbef42e3
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 3F014B3604814AFBCF525F85CC01DEE3F66FF69351B588619FA2858031D236CAB1AF81

Function 00D1B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D1B59E
ScreenToClient.USER32(?,?), ref: 00D1B5B6
ScreenToClient.USER32(?,?), ref: 00D1B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D1B5F5

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a18c04b531ba60793bf998f38f8a97c74d626fb05054be552c42865265a63c86
Instruction ID: 975d9dddd94b5af774411e608a49396856255fcb9cfc80dfe4f6c38840406298
Opcode Fuzzy Hash: a18c04b531ba60793bf998f38f8a97c74d626fb05054be552c42865265a63c86
Instruction Fuzzy Hash: AB1146B9D00209EFDB41CF99D4449EEFBB5FB08310F108166E954E3620D735AA558F60

Function 00D1B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D1B8FE
_memset.LIBCMT ref: 00D1B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00D57F20,00D57F64), ref: 00D1B93C
CloseHandle.KERNEL32 ref: 00D1B94E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 3e3454de4087be30b63f4dac31e0ded053d7c944db6f002c9847f7b2b3d7c7b2
Instruction ID: 3758eb19fe747cb09199dcf7fc12f4e8f9b264862f2399a06018a8a372b4ec66
Opcode Fuzzy Hash: 3e3454de4087be30b63f4dac31e0ded053d7c944db6f002c9847f7b2b3d7c7b2
Instruction Fuzzy Hash: 70F05EB26483007BE610AB61BC05FBB3A5CEF09355F104021FE09D53A2DB71590087B8

Function 00CF6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00CF6E88

Part of subcall function 00CF794E: _memset.LIBCMT ref: 00CF7983

_memmove.LIBCMT ref: 00CF6EAB
_memset.LIBCMT ref: 00CF6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00CF6EC8

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 73ba3286589034fb48639ba6d15509181ccf403111596f996529c29f75207cc1
Instruction ID: b85537d10822f9a5236d846a815ae88841b98032e23e89f5b9ccb0cf4acef4df
Opcode Fuzzy Hash: 73ba3286589034fb48639ba6d15509181ccf403111596f996529c29f75207cc1
Instruction Fuzzy Hash: 43F0547A100204BBCF416F55EC85A99BB2AEF45320F04C061FE089E216CB71A911DBB5

Function 00D1C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C9134D
Part of subcall function 00C912F3: SelectObject.GDI32(?,00000000), ref: 00C9135C
Part of subcall function 00C912F3: BeginPath.GDI32(?), ref: 00C91373
Part of subcall function 00C912F3: SelectObject.GDI32(?,00000000), ref: 00C9139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00D1C030
LineTo.GDI32(00000000,?,?), ref: 00D1C03D
EndPath.GDI32(00000000), ref: 00D1C04D
StrokePath.GDI32(00000000), ref: 00D1C05B

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: b20a94c28f6b86a4804a4b9bbfc47474f3005ba270d14b572a5bdeafad8073c1
Instruction ID: 0ad6afd8c42b2e5a584b64a775def074b6cbdb512a20962f749d4bc0b073beec
Opcode Fuzzy Hash: b20a94c28f6b86a4804a4b9bbfc47474f3005ba270d14b572a5bdeafad8073c1
Instruction Fuzzy Hash: F2F05E31041369BBDB126F54AC0AFCE3F59AF19311F588000FA15A12E2CB7556A2DBB5

Function 00CEA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00CEA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CEA3AC
GetCurrentThreadId.KERNEL32 ref: 00CEA3B3
AttachThreadInput.USER32(00000000), ref: 00CEA3BA

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 6b92135e9b55076bfbc7f194b57e96ebd1624d83801ca25eb6abd8930789239a
Instruction ID: 04c54973240e9dd8448065cfb9f21a612889436a2be35e59ac74b95f184ae59f
Opcode Fuzzy Hash: 6b92135e9b55076bfbc7f194b57e96ebd1624d83801ca25eb6abd8930789239a
Instruction Fuzzy Hash: 5EE0C931645368BADB205BA2DC0DFD77F5CEF167A1F008025F519D5160CA71D541DBB1

Function 00C92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C92231
SetTextColor.GDI32(?,000000FF), ref: 00C9223B
SetBkMode.GDI32(?,00000001), ref: 00C92250
GetStockObject.GDI32(00000005), ref: 00C92258
GetWindowDC.USER32(?,00000000), ref: 00CCC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CCC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00CCC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00CCC112
GetPixel.GDI32(00000000,?,?), ref: 00CCC132
ReleaseDC.USER32(?,00000000), ref: 00CCC13D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: caf3bd37719a50f5ff933b5cc18ab3b93afb4c05913f044e00ee88f564b7895d
Instruction ID: 452d5dfd06954a721b9426017a799fafe5e601606ec27407d7cf74f4988d8773
Opcode Fuzzy Hash: caf3bd37719a50f5ff933b5cc18ab3b93afb4c05913f044e00ee88f564b7895d
Instruction Fuzzy Hash: 74E03932104344FAEB215FA4EC4DBD83B11EB05332F14C36AFAB9881E1CB714A81DB21

Function 00CE8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CE8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CE882E), ref: 00CE8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CE882E), ref: 00CE8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CE882E), ref: 00CE8C7E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b7a34e8d6de382d4a774bd4d01cb05d27fa13e1682693fceb8f6ad0610e09cdf
Instruction ID: 51b878bfc656313da1dcc73dd5210b60f8dd2e6813dc31548ff4c2bf58369cbe
Opcode Fuzzy Hash: b7a34e8d6de382d4a774bd4d01cb05d27fa13e1682693fceb8f6ad0610e09cdf
Instruction Fuzzy Hash: A7E04F36642311ABD7205FB16D0CB963BA8AF55792F158828A649C9050DE3895468B71

Function 00CD2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CD2187
GetDC.USER32(00000000), ref: 00CD2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CD21B1
ReleaseDC.USER32(?), ref: 00CD21D2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d5dfa93b0e733a4e3be2fcaba03b4a84a1dac19984a6cf5ed10158b35ad900a7
Instruction ID: 54ea7f51ef60e1ff54b24d1c9c2179d9a7139fe8ab50bec560995cc40ed5954e
Opcode Fuzzy Hash: d5dfa93b0e733a4e3be2fcaba03b4a84a1dac19984a6cf5ed10158b35ad900a7
Instruction Fuzzy Hash: 7BE0EEB5800304EFDF019FA1C848AAD7BB1EB5C350F11C42AF95AE7320CB388542AF60

Function 00CD219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CD219B
GetDC.USER32(00000000), ref: 00CD21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CD21B1
ReleaseDC.USER32(?), ref: 00CD21D2

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6d277b805a83e10df5c0b2101ad7dce5b79a8a933911acb2ac42533762436960
Instruction ID: c2b168c81a6a7b07642a36e27783efb97c51d9d65e0cdbc26a2307b2c289fbb9
Opcode Fuzzy Hash: 6d277b805a83e10df5c0b2101ad7dce5b79a8a933911acb2ac42533762436960
Instruction Fuzzy Hash: 44E0EEB5800304AFCF019FA0C80869D7BB1EB4C350F11C029F95AE7320CB389142AF60

Function 00CEB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00CEB981

Strings

Container, xrefs: 00CEB8FE
AutoIt3GUI, xrefs: 00CEB8F9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5f4c7f1ce33c00e14fc99d1ec28c287dfab1f5b0d6017bf8f3e9351d359e912a
Instruction ID: 6a7ab5cd807f138f01a114bc7e5e697c3f0c6cf37967293fe95e4e56e93f8ffe
Opcode Fuzzy Hash: 5f4c7f1ce33c00e14fc99d1ec28c287dfab1f5b0d6017bf8f3e9351d359e912a
Instruction Fuzzy Hash: DD913974600601AFDB24CF69C885A7BBBE8BF48710F24856DE949CB7A1DB70ED41CB60

Function 00CFB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00CAFEC6: _wcscpy.LIBCMT ref: 00CAFEE9

Part of subcall function 00C99997: __itow.LIBCMT ref: 00C999C2
Part of subcall function 00C99997: __swprintf.LIBCMT ref: 00C99A0C

__wcsnicmp.LIBCMT ref: 00CFB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00CFB361

Strings

LPT, xrefs: 00CFB292

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c31d422c344fe5ff759bd7cd2cfffbe7e340904395d27ad39f8d9ee7cecbb5a8
Instruction ID: 26c497bc828d7995ccfd28f316bd9e2c56d789f3ebd6d72b0d05e62ca9bea512
Opcode Fuzzy Hash: c31d422c344fe5ff759bd7cd2cfffbe7e340904395d27ad39f8d9ee7cecbb5a8
Instruction Fuzzy Hash: 28618375A00219AFCF54DF98C885EBEB7B4EF08310F114069FA56AB3A1DB70AE44DB51

Function 00CA2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00CA2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00CA2AE1

Strings

@, xrefs: 00CA2AD5

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 359c88ffbdd742e4cf288764abf3b7ff5c2251ff189febb617d8c6efe06dfd54
Instruction ID: ef06afcf1146981f2cac17821aaa771bc169bda54990b4695ce4b9b0efa856a8
Opcode Fuzzy Hash: 359c88ffbdd742e4cf288764abf3b7ff5c2251ff189febb617d8c6efe06dfd54
Instruction Fuzzy Hash: 465159724187449BD320AF14D88ABAFB7E8FF84310F42885DF1E9811A1EB309529DB27

Function 00CF99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00C9506B: __fread_nolock.LIBCMT ref: 00C95089

_wcscmp.LIBCMT ref: 00CF9AAE
_wcscmp.LIBCMT ref: 00CF9AC1

Strings

FILE, xrefs: 00CF99FA

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: ea209ef64bcdc8372ec7a42d0ce75fe7944137d18597719352976d1a131c8f77
Instruction ID: 2e61cdefd3746894d937b7d740c665a52c0a41786347686e3831e435bcdb55a2
Opcode Fuzzy Hash: ea209ef64bcdc8372ec7a42d0ce75fe7944137d18597719352976d1a131c8f77
Instruction Fuzzy Hash: 1141C471A00619BBDF219AA5DC46FEFBBBDDF45710F00006ABA00B71D1DA75AA0497A2

Function 00D02882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D02892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00D028C8

Strings

|, xrefs: 00D02899

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 68a0fdf58bf9a0f8762a0ef8aee2af3beaddbb5c1531a5f4bfefe21a1455026e
Instruction ID: d038a21fc1c7e018612d4d445cbb41687f384b6782f0fbf56476a84a9f769230
Opcode Fuzzy Hash: 68a0fdf58bf9a0f8762a0ef8aee2af3beaddbb5c1531a5f4bfefe21a1455026e
Instruction Fuzzy Hash: 7F315071801219AFCF05DFA1DC89EEEBFB8FF08300F004125F815A61A5DB315916DB60

Function 00D17CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00D17DD0
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D17DE5

Strings

', xrefs: 00D17D39

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d3845e5745f99af0876f6d8f00e499e1a88c7e7b6b1a63f5d62cbcb1c9062840
Instruction ID: fc972c6e1c516f073cc854d0cda53999a4db685ddd155d7aaf294b4d9ef16906
Opcode Fuzzy Hash: d3845e5745f99af0876f6d8f00e499e1a88c7e7b6b1a63f5d62cbcb1c9062840
Instruction Fuzzy Hash: 9741D674A05309EFDB14CF68E981AEA7BB5FF09300F14016AE9059B351DB71A991CFA0

Function 00D16CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00D16D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D16DC2

Strings

static, xrefs: 00D16D22

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ac93d6bdfaf0bdc6a873e38eba90252bf07246d1a14e7dcbbaaacc4421e443bd
Instruction ID: 9c99ab48b64b42ad521b4e3591e244cea3253153a1be2df50c20452befc15382
Opcode Fuzzy Hash: ac93d6bdfaf0bdc6a873e38eba90252bf07246d1a14e7dcbbaaacc4421e443bd
Instruction Fuzzy Hash: AC318971200604AEEB109F68EC80AFB77A9FF48720F148619F8A987190DE31EC91DB70

Function 00CF2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00CF2E3B

Strings

0, xrefs: 00CF2DF9

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 43fa6ee5d9bb652e0259a01753ea5b911c86ceab01dbe37cbd883e06ddc1ec7c
Instruction ID: 45ffadb4286d66c4203c844bb440c07df8e7cdbd2dbd02052fb396a287a25bb2
Opcode Fuzzy Hash: 43fa6ee5d9bb652e0259a01753ea5b911c86ceab01dbe37cbd883e06ddc1ec7c
Instruction Fuzzy Hash: 8131E63160030DABEB648F58D845BFEBBB9FF05351F24402AEEA5D71A0E7709A44DB52

Function 00D03CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00D03D5A

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Strings

, $, xrefs: 00D03D9A
AUTOITCALLVARIABLE%d, xrefs: 00D03D4C

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 339eacfa954009ab5571113f703975f2ebee2c98f054ee33868ac4ca9a2b9161
Instruction ID: 9916d1886e59ca64fc98c2f0c46a68c9c85f0395714d598322586ce781a81ae0
Opcode Fuzzy Hash: 339eacfa954009ab5571113f703975f2ebee2c98f054ee33868ac4ca9a2b9161
Instruction Fuzzy Hash: F0217331610218AFCF10EF64CC86BAD77A9BF44700F404495F409A7281DB34EA45DBB1

Function 00D16943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D169D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D169DB

Strings

Combobox, xrefs: 00D1699D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5a39b9ff6da2d46395d85073f5dc346ba00c4f3960b94f4410c3336c67a67b99
Instruction ID: 94d0cf62b95e84ea053e908c237ae79529eec955d3fcfcc4c896c354de0ea96b
Opcode Fuzzy Hash: 5a39b9ff6da2d46395d85073f5dc346ba00c4f3960b94f4410c3336c67a67b99
Instruction Fuzzy Hash: F711B2717002097FEF119F24EC81EEB3B6AEB993A4F154125F9589B290DA71DC918BB0

Function 00D16E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C91D73
Part of subcall function 00C91D35: GetStockObject.GDI32(00000011), ref: 00C91D87
Part of subcall function 00C91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C91D91

GetWindowRect.USER32(00000000,?), ref: 00D16EE0
GetSysColor.USER32(00000012), ref: 00D16EFA

Strings

static, xrefs: 00D16EBD

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: ea122763fb6881f5e3bd7f2ac43e3e7fb6d7df314051a392e8d49b92b341b673
Instruction ID: e32ecc426f6db085f2718dd06bd7d22b38ef228ad48662f405fcfdc8cabee930
Opcode Fuzzy Hash: ea122763fb6881f5e3bd7f2ac43e3e7fb6d7df314051a392e8d49b92b341b673
Instruction Fuzzy Hash: E621267261021ABFDB04DFB8DD45AEA7BB8FB08314F044629FD55D3250EA34E8A19B60

Function 00D16B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00D16C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00D16C20

Strings

edit, xrefs: 00D16BF5

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2c35290588e09a891444fcbbc35eebb058d80f15458ab865c07ed5be6a525011
Instruction ID: b64217006deda237997b2b2a0256688a3da4b4291d1b83c20e10a9d4c8ec36df
Opcode Fuzzy Hash: 2c35290588e09a891444fcbbc35eebb058d80f15458ab865c07ed5be6a525011
Instruction Fuzzy Hash: 20119671104208BBEB108F64ED41AEB3B6AEB04378F644724F9A0D32E0CA35DC91AB70

Function 00CF2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00CF2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00CF2F30

Strings

0, xrefs: 00CF2F07

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3f29bc449d535a30e7ad66ad60c5213cbda1ca77b4752242f10ed9b8eaa3e49b
Instruction ID: b082050e738fcfb2d9d39e5ce0039b8e4522277ed19cf51280ac042aa68098fd
Opcode Fuzzy Hash: 3f29bc449d535a30e7ad66ad60c5213cbda1ca77b4752242f10ed9b8eaa3e49b
Instruction Fuzzy Hash: D111E23191122CABDB60DB98DC04BF977B9EB01311F1400A1FE64E72A0D7B0EE04C7AA

Function 00D024CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00D02520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00D02549

Strings

<local>, xrefs: 00D02511

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5e321a195998f0feb4766b9c98e120b64bb9b87790483be6ab5b98b58c80e4fe
Instruction ID: d15c409372f49d6727e818b490f2e82c0dc69130a4633b2741aa2d96735afa77
Opcode Fuzzy Hash: 5e321a195998f0feb4766b9c98e120b64bb9b87790483be6ab5b98b58c80e4fe
Instruction Fuzzy Hash: 2C11A070542225BADB248F518C9DFFBFF68FB16761F10812AF94987180D670A945DAF0

Function 00D080A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D0830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00D080C8,?,00000000,?,?), ref: 00D08322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00D080CB
htons.WSOCK32(00000000,?,00000000), ref: 00D08108

Strings

255.255.255.255, xrefs: 00D080E3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: bb4ddf42eb2f3e88ce03f1620ba8658c2b2fd0ad3dad2e2beaa9160e2a491ca5
Instruction ID: 0cc40fd9507bb035e59f4c4246d40ec51fe730b5f6b403c01b8626f12d7e4d06
Opcode Fuzzy Hash: bb4ddf42eb2f3e88ce03f1620ba8658c2b2fd0ad3dad2e2beaa9160e2a491ca5
Instruction Fuzzy Hash: B411E134600305ABDB20AF64CC46FFDB324FF14320F10852AE955972D2DF32A811E7A5

Function 00CE92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CE9355

Strings

ListBox, xrefs: 00CE931F
ComboBox, xrefs: 00CE92F4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4c6d5bb925b036eadea9d0be3290a053dc50520ff94de02483a6a0a6ae0af974
Instruction ID: 84ab599ee928a3d6ecf07a1f596eb119ee7500b4a795b6543d5fa8582e162bd1
Opcode Fuzzy Hash: 4c6d5bb925b036eadea9d0be3290a053dc50520ff94de02483a6a0a6ae0af974
Instruction Fuzzy Hash: 8001B571A05254ABCF04EBA6CC958FF7769FF06320B140619F832572E2DF31690CA760

Function 00CF901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00CF9036
__fread_nolock.LIBCMT ref: 00CF904B

Strings

EA06, xrefs: 00CF907D

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 71645a812ec3290db948bbd3bb3ba75f9edbe81481f459d27cd3eb849b392d49
Instruction ID: 4b3e729f3c5cf3a827f2a7f0d93094096be313e6e2a38411fd5033c04a13af61
Opcode Fuzzy Hash: 71645a812ec3290db948bbd3bb3ba75f9edbe81481f459d27cd3eb849b392d49
Instruction Fuzzy Hash: E901F9718442186EDB28C6A8C816FFE7BF8DB05301F00419AF552D2181E975A6089B60

Function 00CE91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CE924D

Strings

ListBox, xrefs: 00CE9217
ComboBox, xrefs: 00CE91EC

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f5b079d71c435e0560da9b6ce3b13565d1fc6ab811a5e6f3cb5f5957ab4924d3
Instruction ID: 58402487fe9532011652278794de26dd2aba0801eb07c5e979b23c2856865c7a
Opcode Fuzzy Hash: f5b079d71c435e0560da9b6ce3b13565d1fc6ab811a5e6f3cb5f5957ab4924d3
Instruction Fuzzy Hash: 640184B1A452447BCF05EBA2C996DFF73A8DF05300F240119B912672D1EE216F1CA671

Function 00CE9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C97F41: _memmove.LIBCMT ref: 00C97F82

Part of subcall function 00CEB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00CEB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CE92D0

Strings

ListBox, xrefs: 00CE929C
ComboBox, xrefs: 00CE9271

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d2acc5a2a858f989087c898934c0cc4a0130dc344ae3db36d80edd1b25667bb5
Instruction ID: 4b8c83b11e16522d77306f16e8274331a1815f7e165563767ddb3183d47292f5
Opcode Fuzzy Hash: d2acc5a2a858f989087c898934c0cc4a0130dc344ae3db36d80edd1b25667bb5
Instruction Fuzzy Hash: 0E01A771A452047BCF05E7A1C996DFF77ACDF11310F240115B912632D1DA215F0CA675

Function 00CF51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CF51E8
_wcscmp.LIBCMT ref: 00CF51FA

Strings

#32770, xrefs: 00CF51F4

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a05bee7ba118c82c57772a44ef072a0457f19d81574c96e29d7d512c4f272c40
Instruction ID: d11e974deaac800cc55e61ffed82ee679e4fafd8c4e54cce89eed5c4a28e2fe4
Opcode Fuzzy Hash: a05bee7ba118c82c57772a44ef072a0457f19d81574c96e29d7d512c4f272c40
Instruction Fuzzy Hash: AFE09B7250432D2BD7109699AC49AA7F7ACEB45761F000156FE14D3151E9609A4587E1

Function 00CE81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CE81CA

Part of subcall function 00CB3598: _doexit.LIBCMT ref: 00CB35A2

Strings

AutoIt, xrefs: 00CE81BE
Error allocating memory., xrefs: 00CE81C3

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 18d1dd72b3762297a6fa7860fd04b2c74d820adfea2fd5aa776e40259302c8d6
Instruction ID: 61afdb23de56221107ba0dd61ccbb0a17206ec048fe4ec1a7ae91a27f6259f57
Opcode Fuzzy Hash: 18d1dd72b3762297a6fa7860fd04b2c74d820adfea2fd5aa776e40259302c8d6
Instruction Fuzzy Hash: BBD0123638535836D22432A5AC0BFCA75484B15B55F044015BB08955D38DD2558652A9

Function 00CCB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CCB564: _memset.LIBCMT ref: 00CCB571

Part of subcall function 00CB0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00CCB540,?,?,?,00C9100A), ref: 00CB0B89

IsDebuggerPresent.KERNEL32(?,?,?,00C9100A), ref: 00CCB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C9100A), ref: 00CCB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CCB54E

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: d0ed43b6b7cf619974379b7e98f904ec38bec66bb691eb22cc4913b13e8708c9
Instruction ID: eed10b151ecfa0062aad12405b20ea9bd9e7042345ac87b56ef5a1590d317be6
Opcode Fuzzy Hash: d0ed43b6b7cf619974379b7e98f904ec38bec66bb691eb22cc4913b13e8708c9
Instruction Fuzzy Hash: 87E092B06003118FD720DF68E50A7827BE4AF00745F00892CF456C3361DBB4E848CB71

Function 00D15BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D15BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D15C08

Part of subcall function 00CF54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00CF555E

Strings

Shell_TrayWnd, xrefs: 00D15BEE

Memory Dump Source

Source File: 00000000.00000002.2170534653.0000000000C91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C90000, based on PE: true

Associated: 00000000.00000002.2170509398.0000000000C90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170609125.0000000000D45000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170674855.0000000000D4F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2170699960.0000000000D58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c90000_67qCH13C8n.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 024bdbc3171284f96caa0e313842cfa10700a2c26f56e4eeee3290cdd86dd6f1
Instruction ID: e5c2f43711ba711759611a737630839d47e515e460f51e1cb0eb6b5453fb7d93
Opcode Fuzzy Hash: 024bdbc3171284f96caa0e313842cfa10700a2c26f56e4eeee3290cdd86dd6f1
Instruction Fuzzy Hash: 98D0C9313C8311BBE764AB70AC0BFE76A14AB00B51F004825B749EA2D1D9E45801C660

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 67qCH13C8n.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autABC4.tmp

C:\Users\user\AppData\Local\Temp\nonagglutinant

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
67qCH13C8n.exe

Function 00C93B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00C94AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00C94FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00CF93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00C93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00C93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00C971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C93A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00C93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00C93778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0168FE10 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0168FBA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
fileCOMMON

Function 00C9410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00C969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON