Edit tour

Windows Analysis Report
F0DgoRk0p1.exe

Overview

General Information

Sample name:	F0DgoRk0p1.exe renamed because original name is a hash value
Original sample name:	d2b275edfe93caf7e90362a513f00ffec34f1b10df49d950db008a3417045311.exe
Analysis ID:	1589029
MD5:	7bea2772a00141a510d2b2e2367597e1
SHA1:	1d38623ab62345c2d9f9f79b9f50849bbf9392ef
SHA256:	d2b275edfe93caf7e90362a513f00ffec34f1b10df49d950db008a3417045311
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

F0DgoRk0p1.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\F0DgoRk0p1.exe" MD5: 7BEA2772A00141A510D2B2E2367597E1)

RegSvcs.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\F0DgoRk0p1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "urchman@elquijotebanquetes.com", "Password": "-GN,s*KH{VEhPmo)+f"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3455f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3465b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34757:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3485f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31697:$s2: GetPrivateProfileString 0x30d0c:$s3: get_OSFullName 0x323df:$s5: remove_Key 0x32567:$s5: remove_Key 0x33504:$s6: FtpWebRequest 0x34541:$s7: logins 0x34ab3:$s7: logins 0x377b8:$s7: logins 0x37876:$s7: logins 0x391c9:$s7: logins 0x38410:$s9: 1.85 (Hash, version 2, native byte-order)
00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F0DgoRk0p1.exe PID: 7828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: F0DgoRk0p1.exe PID: 7828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: F0DgoRk0p1.exe PID: 7828	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 8024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 8024	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegSvcs.exe.1b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.2.RegSvcs.exe.1b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3455f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3465b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34757:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3485f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
7.2.RegSvcs.exe.1b0000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31697:$s2: GetPrivateProfileString 0x30d0c:$s3: get_OSFullName 0x323df:$s5: remove_Key 0x32567:$s5: remove_Key 0x33504:$s6: FtpWebRequest 0x34541:$s7: logins 0x34ab3:$s7: logins 0x377b8:$s7: logins 0x37876:$s7: logins 0x391c9:$s7: logins 0x38410:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.F0DgoRk0p1.exe.3d00000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F0DgoRk0p1.exe.3d00000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.F0DgoRk0p1.exe.3d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3275f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x327d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3285b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x328ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32957:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x329c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32a5f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32aef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.F0DgoRk0p1.exe.3d00000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f897:$s2: GetPrivateProfileString 0x2ef0c:$s3: get_OSFullName 0x305df:$s5: remove_Key 0x30767:$s5: remove_Key 0x31704:$s6: FtpWebRequest 0x32741:$s7: logins 0x32cb3:$s7: logins 0x359b8:$s7: logins 0x35a76:$s7: logins 0x373c9:$s7: logins 0x36610:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3455f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x345d1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3465b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x346ed:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34757:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x347c9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3485f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x348ef:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31697:$s2: GetPrivateProfileString 0x30d0c:$s3: get_OSFullName 0x323df:$s5: remove_Key 0x32567:$s5: remove_Key 0x33504:$s6: FtpWebRequest 0x34541:$s7: logins 0x34ab3:$s7: logins 0x377b8:$s7: logins 0x37876:$s7: logins 0x391c9:$s7: logins 0x38410:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.elquijotebanquetes.com", "Username": "urchman@elquijotebanquetes.com", "Password": "-GN,s*KH{VEhPmo)+f"}

Multi AV Scanner detection for submitted file

Source: F0DgoRk0p1.exe

ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: F0DgoRk0p1.exe

Joe Sandbox ML: detected

Source: F0DgoRk0p1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: F0DgoRk0p1.exe, 00000001.00000003.1274037048.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, F0DgoRk0p1.exe, 00000001.00000003.1272916576.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: F0DgoRk0p1.exe, 00000001.00000003.1274037048.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, F0DgoRk0p1.exe, 00000001.00000003.1272916576.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0068445A
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068C6D1 FindFirstFileW,FindClose,	1_2_0068C6D1
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0068C75C
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0068EF95
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0068F0F2
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0068F3F3
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006837EF
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00683B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00683B12
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0068BCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_006922EE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000007.00000002.2509039021.00000000024C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: F0DgoRk0p1.exe, 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507939358.0000000000742000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000007.00000002.2509039021.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: F0DgoRk0p1.exe, 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00694164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00694164

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00694164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00694164

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00693F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00693F66

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0068001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_0068001C

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_006ACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00623B3A
Source: F0DgoRk0p1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: F0DgoRk0p1.exe, 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cf39704e-8
Source: F0DgoRk0p1.exe, 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2bf8ae2c-d

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00623633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_00623633
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	1_2_006AC1AC
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_006AC498
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC57D SendMessageW,NtdllDialogWndProc_W,	1_2_006AC57D
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_006AC5FE
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC860 NtdllDialogWndProc_W,	1_2_006AC860
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC8BE NtdllDialogWndProc_W,	1_2_006AC8BE
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC88F NtdllDialogWndProc_W,	1_2_006AC88F
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC93E ClientToScreen,NtdllDialogWndProc_W,	1_2_006AC93E
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AC909 NtdllDialogWndProc_W,	1_2_006AC909
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006ACA7C GetWindowLongW,NtdllDialogWndProc_W,	1_2_006ACA7C
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_006ACABC
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00621287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,	1_2_00621287
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00621290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	1_2_00621290
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AD3B8 NtdllDialogWndProc_W,	1_2_006AD3B8
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_006AD43E
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0062167D NtdllDialogWndProc_W,	1_2_0062167D
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006216DE GetParent,NtdllDialogWndProc_W,	1_2_006216DE
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006216B5 NtdllDialogWndProc_W,	1_2_006216B5
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006AD78C NtdllDialogWndProc_W,	1_2_006AD78C
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0062189B NtdllDialogWndProc_W,	1_2_0062189B
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006ABC5D NtdllDialogWndProc_W,CallWindowProcW,	1_2_006ABC5D
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006ABF30 NtdllDialogWndProc_W,	1_2_006ABF30
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006ABF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	1_2_006ABF8C

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0068A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_0068A1EF

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006785B1 GetCurrentProcess,OpenProcessToken,CloseHandle,CreateProcessWithLogonW,

1_2_006785B1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_006851BD

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0062E6A0	1_2_0062E6A0
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064D975	1_2_0064D975
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0062FCE0	1_2_0062FCE0
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006421C5	1_2_006421C5
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006562D2	1_2_006562D2
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006A03DA	1_2_006A03DA
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0065242E	1_2_0065242E
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006425FA	1_2_006425FA
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0067E616	1_2_0067E616
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006366E1	1_2_006366E1
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0065878F	1_2_0065878F
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00656844	1_2_00656844
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006A0857	1_2_006A0857
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00638808	1_2_00638808
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00688889	1_2_00688889
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064CB21	1_2_0064CB21
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00656DB6	1_2_00656DB6
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00636F9E	1_2_00636F9E
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00633030	1_2_00633030
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064F1D9	1_2_0064F1D9
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00643187	1_2_00643187
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00621287	1_2_00621287
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00641484	1_2_00641484
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00635520	1_2_00635520
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00647696	1_2_00647696
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00635760	1_2_00635760
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00641978	1_2_00641978
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00659AB5	1_2_00659AB5
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006A7DDB	1_2_006A7DDB
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064BDA6	1_2_0064BDA6
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00641D90	1_2_00641D90
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0062DF00	1_2_0062DF00
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00633FE0	1_2_00633FE0
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_016B66E0	1_2_016B66E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0213A6E0	7_2_0213A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02134A88	7_2_02134A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02133E70	7_2_02133E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_021341B8	7_2_021341B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0213DD10	7_2_0213DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0213DD08	7_2_0213DD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05CD2588	7_2_05CD2588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05CD13D8	7_2_05CD13D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05CD3D28	7_2_05CD3D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05CD3640	7_2_05CD3640

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: String function: 00640AE3 appears 70 times
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: String function: 00627DE1 appears 36 times
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: String function: 00648900 appears 42 times

Source: F0DgoRk0p1.exe, 00000001.00000003.1276906463.0000000003EB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs F0DgoRk0p1.exe
Source: F0DgoRk0p1.exe, 00000001.00000003.1273734375.000000000400D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs F0DgoRk0p1.exe
Source: F0DgoRk0p1.exe, 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename07823960-0dbd-43bb-aade-b6626acc7f4a.exe0 vs F0DgoRk0p1.exe

Source: F0DgoRk0p1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0068A06A GetLastError,FormatMessageW,

1_2_0068A06A

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006781CB AdjustTokenPrivileges,CloseHandle,		1_2_006781CB
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_006787E1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0068B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0068B333

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0069EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0069EE0D

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

1_2_006983BB

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00624E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00624E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

File created: C:\Users\user\AppData\Local\Temp\aut1CCD.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2509039021.00000000024F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024E7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: F0DgoRk0p1.exe

ReversingLabs: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\F0DgoRk0p1.exe "C:\Users\user\Desktop\F0DgoRk0p1.exe"
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F0DgoRk0p1.exe"
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F0DgoRk0p1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: F0DgoRk0p1.exe, 00000001.00000003.1274037048.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, F0DgoRk0p1.exe, 00000001.00000003.1272916576.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: F0DgoRk0p1.exe, 00000001.00000003.1274037048.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, F0DgoRk0p1.exe, 00000001.00000003.1272916576.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_007349E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_007349E0

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00648945 push ecx; ret

1_2_00648958

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_006248D7
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_006A5376

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00643187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00643187

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: F0DgoRk0p1.exe PID: 7828, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

API/Special instruction interceptor: Address: 16B6304

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: F0DgoRk0p1.exe, 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-102358

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

API coverage: 4.5 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0068445A
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068C6D1 FindFirstFileW,FindClose,	1_2_0068C6D1
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0068C75C
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0068EF95
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0068F0F2
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0068F3F3
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_006837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_006837EF
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00683B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00683B12
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0068BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0068BCBC

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006249A0

Source: RegSvcs.exe, 00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: F0DgoRk0p1.exe, 00000001.00000002.1279940617.00000000015D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: RegSvcs.exe, 00000007.00000002.2510603755.0000000005774000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	API call chain: ExitProcess graph end node	graph_1-101157
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	API call chain: ExitProcess graph end node	graph_1-103497
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	API call chain: ExitProcess graph end node	graph_1-101376

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_02137078 CheckRemoteDebuggerPresent,

7_2_02137078

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00693F09 BlockInput,

1_2_00693F09

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00623B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00623B3A

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00655A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

1_2_00655A7C

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_007349E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

1_2_007349E0

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_016B6570 mov eax, dword ptr fs:[00000030h]	1_2_016B6570
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_016B65D0 mov eax, dword ptr fs:[00000030h]	1_2_016B65D0
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_016B4F20 mov eax, dword ptr fs:[00000030h]	1_2_016B4F20

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006780A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

1_2_006780A9

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0064A155
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_0064A124 SetUnhandledExceptionFilter,		1_2_0064A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 239008

Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006787B1 LogonUserW,

1_2_006787B1

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00623B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00623B3A

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_006248D7

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00684C7F mouse_event,

1_2_00684C7F

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F0DgoRk0p1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00677CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00677CAF

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0067874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_0067874B

Source: F0DgoRk0p1.exe, 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: F0DgoRk0p1.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_0064862B cpuid

1_2_0064862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00654E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00654E87

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00661E06 GetUserNameW,

1_2_00661E06

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_00653F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00653F3A

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe

Code function: 1_2_006249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_006249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F0DgoRk0p1.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8024, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: F0DgoRk0p1.exe	Binary or memory string: WIN_81
Source: F0DgoRk0p1.exe	Binary or memory string: WIN_XP
Source: F0DgoRk0p1.exe	Binary or memory string: WIN_XPe
Source: F0DgoRk0p1.exe	Binary or memory string: WIN_VISTA
Source: F0DgoRk0p1.exe	Binary or memory string: WIN_7
Source: F0DgoRk0p1.exe	Binary or memory string: WIN_8
Source: F0DgoRk0p1.exe, 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F0DgoRk0p1.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8024, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 7.2.RegSvcs.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.F0DgoRk0p1.exe.3d00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: F0DgoRk0p1.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 8024, type: MEMORYSTR

Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00696283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00696283
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00696747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00696747
Source: C:\Users\user\Desktop\F0DgoRk0p1.exe	Code function: 1_2_00657AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	1_2_00657AA1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
F0DgoRk0p1.exe	83%	ReversingLabs	Win32.Trojan.AutoitInject
F0DgoRk0p1.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	F0DgoRk0p1.exe, 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2509039021.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000007.00000002.2509039021.00000000024C9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2509039021.00000000024AE000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589029
Start date and time:	2025-01-11 08:36:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	F0DgoRk0p1.exe renamed because original name is a hash value
Original Sample Name:	d2b275edfe93caf7e90362a513f00ffec34f1b10df49d950db008a3417045311.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: F0DgoRk0p1.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	ip-api.com/json/
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	ip-api.com/line/?fields=hosting
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	fpY3HP2cnH.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	aik1mr9TOq.exe	Get hash	malicious	Predator	Browse	208.95.112.1
	DUWPFaZd3a.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	208.95.112.1
	tb4B9ni6vl.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\F0DgoRk0p1.exe
File Type:	data
Category:	dropped
Size (bytes):	244736
Entropy (8bit):	6.779518683184602
Encrypted:	false
SSDEEP:	6144:inqisWkmX7fB2hE0iFan4Eyl2R5NEbbFLrlpt/s+U+wi2xGQNZTB4RC:inqiEhP4vSGtvXEkAZ11
MD5:	AFC04203518DD91A49F79EEED80AEE05
SHA1:	E8A9D6CD1F1466F1FAB0FBE6447772EEA2B04F67
SHA-256:	781130BD4BFEC3A4069DEE937F541E69D9439A4591E9C02F19C7379108CEEF76
SHA-512:	6934A8EF42EB8133B5466483E125AA5A8565DFC800727122B23FDEF652F283C99488BBC8B69C3D15FDE3BEABC5FF9469CED583AECDCC3423C4C8068486090860
Malicious:	false
Reputation:	low
Preview:	...84ZEOE3Y7..D3.BEWPXVHr87ZEOA3Y7TSD3MBEWPXVH287ZEOA3Y7TSD3.BEW^G.F2.>.d.@....;-@m27877%.[V4+ 5.;Rt!1]m++w...h_WS?kBL9}7TSD3MB..PX.I18.s.A3Y7TSD3.BGV[Y]H2.4ZEGA3Y7TS..NBEwPXV.187Z.OA.Y7TQD3IBEWPXVH687ZEOA3Y.PSD1MBEWPXTHr.7ZUOA#Y7TST3MREWPXVH"87ZEOA3Y7TS$.NB.WPXV.18._EOA3Y7TSD3MBEWPXVH283ZIOA3Y7TSD3MBEWPXVH287ZEOA3Y7TSD3MBEWPXVH287ZEOA3Y7TSD.MBMWPXVH287ZEOI.Y7.SD3MBEWPXVH.LR"1OA3.WSD.MBE.SXVJ287ZEOA3Y7TSD3mBE7~%:Q87Z.JA3Y.WSD5MBE.SXVH287ZEOA3Y7.SDsc0 ;?;VH>87ZEOE3Y5TSD.NBEWPXVH287ZEO.3YuTSD3MBEWPXVH287Z.B3Y7TS.3MBGWUX..08;mDOB3Y7USD5MBEWPXVH287ZEOA3Y7TSD3MBEWPXVH287ZEOA3Y7TSD3MBEWM.....d.2.9;0.u.T.A..C..1.w8.P.:'....I....w-P.{8.Uu...P....F.J@.Q......:N>O[.@{\%.P....ew<rs.\+.;..a.]Kf.~...n....@5m...'...-(y1(&$W.d;#.3Z.5.RD3MB........^"..l0V)`A<e...dJ.....;OA3=7TS63MB$WPX.H28XZEO/3Y7*SD33BEW.XVHr87ZrOA3\|7TS)3MBaWPX(H28.'J@..^'..3MBEWe..x.U........e5.3.'o...,.s..@..<1.#..t..K.3..%j\\f..4X1PVF4IAIj^.....5^AJC4]4XnJx...v.~.....4....M./D3MBEW.XV.287..O.3Y7.S.3..EWP.H.8.Z...3

C:\Users\user\AppData\Local\Temp\aut1CCD.tmp

Download File

Process:	C:\Users\user\Desktop\F0DgoRk0p1.exe
File Type:	data
Category:	dropped
Size (bytes):	154636
Entropy (8bit):	7.916847135549542
Encrypted:	false
SSDEEP:	3072:dzsF6MLQAjykQEHC0ee8G7gX8oINcpZz2GHDYj566NFjjB9l8scxEPlP:d3MekQEi0noImp0GHMj0gljGEPlP
MD5:	FF33061AA719F4E4D98697C7D4687D82
SHA1:	D8EB537851D42E006224741E4D4167E71ABD9351
SHA-256:	40CEFBF166B2E0BEA95A495AA946FF1EE8260E920A3E2E3EB32C4EF89E9AA80B
SHA-512:	BB50F356C001F661889CE88B28C74207C6049C074A24DC08A1E41B1344A91D519CDA3DA320A54BFA02F7C84AEACEBB7856A8DA8EAA75F1A38F086872D4AF8F6B
Malicious:	false
Reputation:	low
Preview:	EA06......S..j.O...3}^..3...z.b.H.N&.....X.T.:h..f@...4.X.Q..i.2}..}....Z.;..-.)..o..bU...W ...u+..c]...wx.^.h...s.]..9..,f+..V#T....s.J..5..Q...v.2..M.p.lz.t......j& ....A.....$..5........b.a..".........L. ..H.1.$.X!.p..tk.._<.I........6.M...$.....v9L.H. ....W.,..Z.b.J.X.m.,.... ....,u.....a.7\|.J...c.H's..Z.>...s.......M\|...f..a..s. ....,Q..Z...0.N.Jx..U.n.....-S~.....CfW...a.......C...=..7P.N..^.~+I.p..=..[P..........T6Z\....P%....!..C.T..>...^.^-C.....y...J...wK=...6r....-../gW..Mm..g.O..K.....Q&.U..I.]3.x&......._?..]^.C...ZS`..,.n..5d.K..Gc/;..'........n......K.7.P..3..".c........R.XX@..@.a.......'.n.B+..x.Ut..Cg..y.vY..g....<l.)s.@(....c...!.M.....L.Z9-..\.@c3J..V.M)4.M....l\|..z.J..+.J..x...7m...........Sx2..lk..n@.a.......R...x@4GcSH.N9../?.3.Vf..EZ.6.].S.,..N.^......G.O'.9..)si........U.gG.q..j.Z....TZl..Y..%.).6.m.T+...q7.[..:l.oT..j4....x......IC..fu. .a5.H.z..J........1.R.u:$.....j...e8.V.U.....a....]..7.+<.ID...w.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.930782762851187
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	F0DgoRk0p1.exe
File size:	600'576 bytes
MD5:	7bea2772a00141a510d2b2e2367597e1
SHA1:	1d38623ab62345c2d9f9f79b9f50849bbf9392ef
SHA256:	d2b275edfe93caf7e90362a513f00ffec34f1b10df49d950db008a3417045311
SHA512:	059070ca0a65c1f3c269328e9cc0831f3beec68cbe0e98be4656913296747947182d55aaf7fd14e8553edcbbaf2550570e9d19c800852ce1b5e8ac8107fe921c
SSDEEP:	12288:vquErHF6xC9D6DmR1J98w4oknqOOCyQfIwKT8bTgJp4pDVOPlDaZ:2rl6kD68JmlotQfET8bk+84
TLSH:	1CD423C54AE1E423C66873B5C1799D685AA538728F8A3B5EC729F10EFC20303E856F5D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5149e0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674DE4DC [Mon Dec 2 16:48:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004BF000h
lea edi, dword ptr [esi-000BE000h]
push edi
jmp 00007FF5ECC5A2DDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF5ECC5A2BFh
mov eax, 00000001h
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FF5ECC5A2DDh
jne 00007FF5ECC5A2FAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF5ECC5A2F1h
dec eax
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FF5ECC5A2A6h
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FF5ECC5A324h
xor ecx, ecx
sub eax, 03h
jc 00007FF5ECC5A2E3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FF5ECC5A347h
sar eax, 1
mov ebp, eax
jmp 00007FF5ECC5A2DDh
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF5ECC5A29Eh
inc ecx
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF5ECC5A290h
add ebx, ebx
jne 00007FF5ECC5A2D9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FF5ECC5A2C1h
jne 00007FF5ECC5A2DBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FF5ECC5A2B6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FF5ECC5A2E0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1512bc	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x115000	0x3c2bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1516e0	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x114bc4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xbe000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xbf000	0x56000	0x55e00	88f509ad548e32f9c59184e3e6664b04	False	0.9870473981077147	data	7.935113974245869	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x115000	0x3d000	0x3c800	00f97e8d12a727c92d01dd18d400d0fc	False	0.9157210420971075	data	7.868258650562296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1155ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1156d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x115804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x115930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x115c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x115d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x116bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1174a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x117a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x119fb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x11b064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.9348739495798319
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.9008363201911589
RT_STRING	0xce110	0x490	data	English	Great Britain	0.9546232876712328
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.9086161879895561
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	1.0036855036855037
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x11b4d0	0x35853	data			1.0003466852781921
RT_GROUP_ICON	0x150d28	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x150da4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x150dbc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x150dd4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x150dec	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x150ecc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:37:12.273101091 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:37:12.277940035 CET	80	49706	208.95.112.1	192.168.2.10
Jan 11, 2025 08:37:12.278266907 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:37:12.287286997 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:37:12.292115927 CET	80	49706	208.95.112.1	192.168.2.10
Jan 11, 2025 08:37:12.734138012 CET	80	49706	208.95.112.1	192.168.2.10
Jan 11, 2025 08:37:12.781094074 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:38:08.539568901 CET	80	49706	208.95.112.1	192.168.2.10
Jan 11, 2025 08:38:08.539679050 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:38:52.750765085 CET	49706	80	192.168.2.10	208.95.112.1
Jan 11, 2025 08:38:52.755737066 CET	80	49706	208.95.112.1	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:37:12.226069927 CET	61786	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:37:12.233361959 CET	53	61786	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:37:12.226069927 CET	192.168.2.10	1.1.1.1	0x37d	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:37:12.233361959 CET	1.1.1.1	192.168.2.10	0x37d	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49706	208.95.112.1	80	8024	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:12.287286997 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 08:37:12.734138012 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:37:12 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	1
Start time:	02:37:09
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\F0DgoRk0p1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F0DgoRk0p1.exe"
Imagebase:	0x620000
File size:	600'576 bytes
MD5 hash:	7BEA2772A00141A510D2B2E2367597E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000001.00000002.1285910453.0000000003D00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:37:10
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\F0DgoRk0p1.exe"
Imagebase:	0xe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2507195814.00000000001B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2509039021.0000000002415000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	9.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	174

Executed Functions

Function 00623B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B68
IsDebuggerPresent.KERNEL32 ref: 00623B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006E52F8,006E52E0,?,?), ref: 00623BEB

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Part of subcall function 0063092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C14,006E52F8,?,?,?), ref: 0063096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00623C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006D7770,00000010), ref: 0065D281
SetCurrentDirectoryW.KERNEL32(?,006E52F8,?,?,?), ref: 0065D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006D4260,006E52F8,?,?,?), ref: 0065D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0065D346

Part of subcall function 00623A46: GetSysColorBrush.USER32(0000000F), ref: 00623A50
Part of subcall function 00623A46: LoadCursorW.USER32(00000000,00007F00), ref: 00623A5F
Part of subcall function 00623A46: LoadIconW.USER32(00000063), ref: 00623A76
Part of subcall function 00623A46: LoadIconW.USER32(000000A4), ref: 00623A88
Part of subcall function 00623A46: LoadIconW.USER32(000000A2), ref: 00623A9A
Part of subcall function 00623A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AC0
Part of subcall function 00623A46: RegisterClassExW.USER32(?), ref: 00623B16

Part of subcall function 006239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A03
Part of subcall function 006239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A24
Part of subcall function 006239D5: ShowWindow.USER32(00000000,?,?), ref: 00623A38
Part of subcall function 006239D5: ShowWindow.USER32(00000000,?,?), ref: 00623A41

Part of subcall function 0062434A: _memset.LIBCMT ref: 00624370
Part of subcall function 0062434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00624415

Strings

%k, xrefs: 00623C44
This is a third-party compiled AutoIt script., xrefs: 0065D279
runas, xrefs: 0065D33A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%k
API String ID: 529118366-1914796069
Opcode ID: 8e45400d2b9fe4ca26ff5a2c2493fc2237c85e11cbdc912113483ca041857a29
Instruction ID: 3fee73a7428dbe0ac516d198953b28adf7ccbb6fd652638a10ffac3335d93185
Opcode Fuzzy Hash: 8e45400d2b9fe4ca26ff5a2c2493fc2237c85e11cbdc912113483ca041857a29
Instruction Fuzzy Hash: A751E430E08AA8AECB11EBB4EC45EED7B7BAF45744F004069F512AA2A1DA745705CF25

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 006236D2
KillTimer.USER32(?,00000001), ref: 006236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0062371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0062372A
CreatePopupMenu.USER32 ref: 0062373E
PostQuitMessage.USER32(00000000), ref: 0062374D

Strings

%k, xrefs: 0065D081, 0065D0CF
TaskbarCreated, xrefs: 00623725

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%k
API String ID: 157504867-2455537126
Opcode ID: 17d1ad95ba7e6888e9bd43e7dff212921ed5ffba0311b88dd69080c293b1488a
Instruction ID: b1c3f959b97093a158625909006c492ed4adf28c7de1e5b17929e083555dd54b
Opcode Fuzzy Hash: 17d1ad95ba7e6888e9bd43e7dff212921ed5ffba0311b88dd69080c293b1488a
Instruction Fuzzy Hash: AD413BB1100E75BBDF246F64FC59BB93A5BEB01300F100129F5039A3E1DB699E069F6A

Function 006249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006249CD

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

GetCurrentProcess.KERNEL32(?,006AFAEC,00000000,00000000,?), ref: 00624A9A
IsWow64Process.KERNEL32(00000000), ref: 00624AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00624AE7
FreeLibrary.KERNEL32(00000000), ref: 00624AF2
GetSystemInfo.KERNEL32(00000000), ref: 00624B23
GetSystemInfo.KERNEL32(00000000), ref: 00624B2F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 2bb8620211be97d9a59a78b548a5fc28e3862b511bf58a9666a2d3fb3f16707e
Instruction ID: 6b15441b278be5a30d0a23ed884d32f796045e02a5726e2a1d0a13a81d556f1d
Opcode Fuzzy Hash: 2bb8620211be97d9a59a78b548a5fc28e3862b511bf58a9666a2d3fb3f16707e
Instruction Fuzzy Hash: DC91D531989BD0DEC731DB6894501EABFF6AF2A301F4449ADD0C793B41D621A908CB5A

Function 00624E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00624E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00624D8E,?,?,00000000,00000000), ref: 00624EB0
LoadResource.KERNEL32(?,00000000,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F), ref: 0065D937
SizeofResource.KERNEL32(?,00000000,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F), ref: 0065D94C
LockResource.KERNEL32(00624D8E,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F,00000000), ref: 0065D95F

Strings

SCRIPT, xrefs: 00624EA6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c7771c720f0ecbaf2e6e5a4a3397b1614e58e5d2bbb2d32d850f8b1add98226a
Instruction ID: 4827bdc8b9b7c5b21a080af63a9ab4e6eb0f2c107b2cc2ececbcf45d95b6e448
Opcode Fuzzy Hash: c7771c720f0ecbaf2e6e5a4a3397b1614e58e5d2bbb2d32d850f8b1add98226a
Instruction Fuzzy Hash: 98115A75240700BFE7219BA5EC48FA77BBBFBC6B11F214268F44686290DB61EC008E61

Function 0062FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%k, xrefs: 0062FCF3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharUpper
String ID: %k
API String ID: 3964851224-3601005739
Opcode ID: 4caa27f259a0c0ff13526f8fa9dba59b3a28d32cbfeb0178c22f6c2b387471c3
Instruction ID: 6a8a45eadbe0b16aec760d7043a88da96fa4be65e89c16e962945c3a91109f34
Opcode Fuzzy Hash: 4caa27f259a0c0ff13526f8fa9dba59b3a28d32cbfeb0178c22f6c2b387471c3
Instruction Fuzzy Hash: 98928C706087519FE724DF14C490B6AB7E2BF85304F14896DE88A8B352DB71EC49CF96

Function 007349E0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00734B1A
GetProcAddress.KERNEL32(?,0072DFF9), ref: 00734B38
ExitProcess.KERNEL32(?,0072DFF9), ref: 00734B49
VirtualProtect.KERNELBASE(00620000,00001000,00000004,?,00000000), ref: 00734B97
VirtualProtect.KERNELBASE(00620000,00001000), ref: 00734BAC

Memory Dump Source

Source File: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8decb30141cfd37c5b6a5972196f465a7fcb736e604204a0326e199a524d7453
Instruction ID: 6564a010526e5f00d646362c1144acd6d383eff8d80ac17eadfd4f362642b7e2
Opcode Fuzzy Hash: 8decb30141cfd37c5b6a5972196f465a7fcb736e604204a0326e199a524d7453
Instruction Fuzzy Hash: 075108B2A953525BE7299EB8CC80761B794EB51321F284738C5E2C73C7F7A87C068764

Function 0068445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0065E398), ref: 0068446A
FindFirstFileW.KERNELBASE(?,?), ref: 0068447B
FindClose.KERNEL32(00000000), ref: 0068448B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction ID: fc92d01870a464f0b64e686f43e2a7bfbea6a2430f34c9b1dc3483f3794f107d
Opcode Fuzzy Hash: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction Fuzzy Hash: 90E0D8324105016743107BB8EC0D5E97BDEDF06335F100715F835C11E0EBB46D009AD6

Function 0062E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00663E62

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: b94c7ab7bcbe7cb276cdcad18e95cd1ccd0844f67bb0795e94072c4923966826
Instruction ID: 57e4b25fe421dd3d7195954d4369801dd27187795053fb7451360dc1e8d48e88
Opcode Fuzzy Hash: b94c7ab7bcbe7cb276cdcad18e95cd1ccd0844f67bb0795e94072c4923966826
Instruction Fuzzy Hash: 34A28C74A00A25CFCB24CF58E480AAAB7B3FF59310F648469E945AB351D736ED42CF91

Function 006309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630A5B
timeGetTime.WINMM ref: 00630D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630E53
Sleep.KERNEL32(0000000A), ref: 00630E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00630EFA
DestroyWindow.USER32 ref: 00630F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00630F20
Sleep.KERNEL32(0000000A,?,?), ref: 00664E83
TranslateMessage.USER32(?), ref: 00665C60
DispatchMessageW.USER32(?), ref: 00665C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00665C82

Strings

@GUI_CTRLHANDLE, xrefs: 00664FE4
@GUI_CTRLID, xrefs: 00664F3A
@COM_EVENTOBJ, xrefs: 006654F0
@TRAY_ID, xrefs: 0066578F
@GUI_WINHANDLE, xrefs: 00664F8F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 804402baa512691c416b491c34901ed041fa1af3f0ae744b0c2d2b80cf00b149
Instruction ID: 9527dcbf540cb7ed306c6c1a39f604791558a0f6062ffcec61d7d0f2b7629632
Opcode Fuzzy Hash: 804402baa512691c416b491c34901ed041fa1af3f0ae744b0c2d2b80cf00b149
Instruction Fuzzy Hash: DCB2CF70608B41DFD724DF24C895BAAB7E7BF85304F14491DE58A873A1CB71E889CB86

Function 00689155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00688F5F: __time64.LIBCMT ref: 00688F69

Part of subcall function 00624EE5: _fseek.LIBCMT ref: 00624EFD

__wsplitpath.LIBCMT ref: 00689234

Part of subcall function 006440FB: __wsplitpath_helper.LIBCMT ref: 0064413B

_wcscpy.LIBCMT ref: 00689247
_wcscat.LIBCMT ref: 0068925A
__wsplitpath.LIBCMT ref: 0068927F
_wcscat.LIBCMT ref: 00689295
_wcscat.LIBCMT ref: 006892A8

Part of subcall function 00688FA5: _memmove.LIBCMT ref: 00688FDE
Part of subcall function 00688FA5: _memmove.LIBCMT ref: 00688FED

_wcscmp.LIBCMT ref: 006891EF

Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689824
Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00689452
_wcsncpy.LIBCMT ref: 006894C5
DeleteFileW.KERNEL32(?,?), ref: 006894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00689511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00689522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00689534

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: b3c7dc915e72f19a30885fa34bfd0523267c56a17a8ff8a10d9bb1e854874a1a
Instruction ID: f39653f42829abfa12f8c206b4a5a487a2b6abca1db98be9664f2eb2762ea869
Opcode Fuzzy Hash: b3c7dc915e72f19a30885fa34bfd0523267c56a17a8ff8a10d9bb1e854874a1a
Instruction Fuzzy Hash: 6DC141B1D00119ABDF61EF95CC85AEEB7BEEF85310F0041AAF609E7141DB309A458F65

Function 0062708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00624706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E52F8,?,006237AE,?), ref: 00624724

Part of subcall function 0064050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00627165), ref: 0064052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0065E909
RegCloseKey.ADVAPI32(?), ref: 0065E947
_wcscat.LIBCMT ref: 0065E9A0

Strings

\Include\, xrefs: 00627165
Software\AutoIt v3\AutoIt, xrefs: 0062719E
\, xrefs: 0065E9C3
Include, xrefs: 0065E8BF, 0065E900

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 313f735f4c71cfe90c3d45738c59f5bbf1ae190ef49d3f068cd89d4f322355ff
Instruction ID: 416e3faf0cc0d1726386208e1bb2ab19321c4c96638a61d48031875986efe404
Opcode Fuzzy Hash: 313f735f4c71cfe90c3d45738c59f5bbf1ae190ef49d3f068cd89d4f322355ff
Instruction Fuzzy Hash: 6871E1715083519EC344EF25EC819ABBBEAFF55390F40192EF5458B2A0DB319A48CF96

Function 00623A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623A50
LoadCursorW.USER32(00000000,00007F00), ref: 00623A5F
LoadIconW.USER32(00000063), ref: 00623A76
LoadIconW.USER32(000000A4), ref: 00623A88
LoadIconW.USER32(000000A2), ref: 00623A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AC0
RegisterClassExW.USER32(?), ref: 00623B16

Part of subcall function 00623041: GetSysColorBrush.USER32(0000000F), ref: 00623074
Part of subcall function 00623041: RegisterClassExW.USER32(00000030), ref: 0062309E
Part of subcall function 00623041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006230AF
Part of subcall function 00623041: LoadIconW.USER32(000000A9), ref: 006230F2

Strings

AutoIt v3, xrefs: 00623B05
0, xrefs: 00623AF4
#, xrefs: 00623AFB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 94528747a93fbc6a056c074380563bbddc7598f121db2bb8e29fe01abbcfe067
Instruction ID: 0278d253f238d41dc8c8df19df68289978f710c8c30d0d1d13184a6845a8e492
Opcode Fuzzy Hash: 94528747a93fbc6a056c074380563bbddc7598f121db2bb8e29fe01abbcfe067
Instruction Fuzzy Hash: BC214B70D00754AFEB10DFA4EC89B9D7BB6FB08719F00112AF601AE2E1D7B596408F95

Function 00623766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 006237FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006237AE
/AutoIt3ExecuteLine, xrefs: 006238A7
CMDLINE, xrefs: 00623822
/ErrorStdOut, xrefs: 0062387D
/AutoIt3OutputDebug, xrefs: 00623892
/AutoIt3ExecuteScript, xrefs: 006238BC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: abbd80e33e1a59ec5451b941c71ad0429da4ea6aca738f1a8f4d0389e855e52a
Instruction ID: d8e5dd18f24bf15179201cb726d4305c36ccba1be815061c4e8d03401dfd1445
Opcode Fuzzy Hash: abbd80e33e1a59ec5451b941c71ad0429da4ea6aca738f1a8f4d0389e855e52a
Instruction Fuzzy Hash: 5BA14C71900A3D9ACB54EBA0EC91AEEB77ABF55300F44042EF516B7291EF745A08CF64

Function 00623015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006230AF
LoadIconW.USER32(000000A9), ref: 006230F2

Strings

AutoIt v3 GUI, xrefs: 00623090
0, xrefs: 00623056
TaskbarCreated, xrefs: 006230A4
+, xrefs: 0062305D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 6cb13191f34641b614e730f215a63f7ea16bd199fcc64b34c3600622d77e1e8e
Instruction ID: 91974da2e25a8f01a19e2e945ead3ab808fde5dd79837cdd82ed908bdbd2bd41
Opcode Fuzzy Hash: 6cb13191f34641b614e730f215a63f7ea16bd199fcc64b34c3600622d77e1e8e
Instruction Fuzzy Hash: 66315A71845354EFDB10DFE4E884A9ABFF2FB0A314F14516EE581EA2A0D3B55540CF91

Function 00623041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 006230AF
LoadIconW.USER32(000000A9), ref: 006230F2

Strings

AutoIt v3 GUI, xrefs: 00623090
0, xrefs: 00623056
TaskbarCreated, xrefs: 006230A4
+, xrefs: 0062305D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: a573636607af37919fd90f21b46ec6c6df79b50d05cd26d08933c2a77f37ccbf
Instruction ID: c05a93e9e258d7ce924a7bfcdab44bb83239a7afe29c275bd48ec989f1939152
Opcode Fuzzy Hash: a573636607af37919fd90f21b46ec6c6df79b50d05cd26d08933c2a77f37ccbf
Instruction Fuzzy Hash: 1221E8B1911358AFDB00EFD4E888B9EBBF6FB09704F00512AF611AA2A0D7B155448F91

Function 016B56C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016B5791
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016B59B7

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 2530ce01885856827f932bdb2aaec65984425382b2e3bb8bf1d1dfe38cdc7358
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: A9A11A70E00219EBDB14DFA4C894BEEBBB5FF48304F208559E216BB281D7759A85CF94

Function 00627285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0065EA39
7574D0D0.COMDLG32(?), ref: 0065EA83

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00640791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006407B0

Strings

AutoIt script files (*.au3, *.a3x), xrefs: 0065EA67
au3, xrefs: 0065EA7C
X, xrefs: 0065EA51
Run Script:, xrefs: 0065EA58

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: NamePath$7574FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3399031285-1954568251
Opcode ID: afd0a07a78ccdad7dae6645ff7a1b22f33c26884fc7b4700734c63f7c1b70f71
Instruction ID: 7223d76f4e260748eb2ef57113335aa81b98074f1e48c8fa6784dc30d098f325
Opcode Fuzzy Hash: afd0a07a78ccdad7dae6645ff7a1b22f33c26884fc7b4700734c63f7c1b70f71
Instruction Fuzzy Hash: 0621C070A006589FDF419F94D845BEE7BFAAF49315F00401AE908AB341DBB45A898FA6

Function 006239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A24
ShowWindow.USER32(00000000,?,?), ref: 00623A38
ShowWindow.USER32(00000000,?,?), ref: 00623A41

Strings

edit, xrefs: 00623A1E
AutoIt v3, xrefs: 006239FB, 00623A00, 00623A01

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7eba9eb3f5ccb48ddede60270728117a73b40f8590bd542b1aae058c9ad902d1
Instruction ID: a7f7beaa681723e6ff8a2e73507c85bf4ff28ab585a4037e8848deda1dbe9cfc
Opcode Fuzzy Hash: 7eba9eb3f5ccb48ddede60270728117a73b40f8590bd542b1aae058c9ad902d1
Instruction Fuzzy Hash: 0AF01770600390BEEB206B63AC88E6B3E7ED7C7F54B00102ABB01AA1B1C2611840CAB1

Function 0062686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00624DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E0F

_free.LIBCMT ref: 0065E263
_free.LIBCMT ref: 0065E2AA

Part of subcall function 00626A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626BAD

Strings

/vb, xrefs: 0065E084, 0065E0BD
Bad directive syntax error, xrefs: 0065E292
>>>AUTOIT SCRIPT<<<, xrefs: 0065E039

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: /vb$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-3773348423
Opcode ID: 4a9915f9ba4d7e3833287768adc0b34f29c46239af0ef206881699861188b4dd
Instruction ID: 753dfe03ce17015be5f82c0ac779467fe866167f0097b8e6315cf11a5997be30
Opcode Fuzzy Hash: 4a9915f9ba4d7e3833287768adc0b34f29c46239af0ef206881699861188b4dd
Instruction Fuzzy Hash: 35917C719006299FCF18EFA4DC819EDB7B6BF09310F10442EF816AB2A1DB759A15CF54

Function 016B5460 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 016B5350: Sleep.KERNELBASE(000001F4), ref: 016B5361

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016B55AB

Strings

VH287ZEOA3Y7TSD3MBEWPX, xrefs: 016B560E, 016B5611

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateFileSleep
String ID: VH287ZEOA3Y7TSD3MBEWPX
API String ID: 2694422964-3329802950
Opcode ID: 0e76701b14dca6d2b0b656bc4ef6221d8079afcb8d9a1145093a11e420e77826
Instruction ID: 86d5f525f88648dd8c9c92692daac747c1a8bd05295366dd7f4ddb350ea070df
Opcode Fuzzy Hash: 0e76701b14dca6d2b0b656bc4ef6221d8079afcb8d9a1145093a11e420e77826
Instruction Fuzzy Hash: 44618170D04288DBEF11DBA4DC94BEEBBB9AF15304F044199E209BB2C1D7BA1B45CB65

Function 0062407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0065D3D7

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

_memset.LIBCMT ref: 006240FC
_wcscpy.LIBCMT ref: 00624150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00624160

Strings

Line: , xrefs: 0065D400

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 2af0063c789f21dc92895c4405931f081c203f047f941b44b7908dba9be29586
Instruction ID: a6be69154d49189a7ca9818ca15e909444502217fe4cbb2a32e288f86be9ddac
Opcode Fuzzy Hash: 2af0063c789f21dc92895c4405931f081c203f047f941b44b7908dba9be29586
Instruction Fuzzy Hash: 5331CF31008B55AED760EB60EC86FDB77DAAF44304F10491EF686961A1DF70A648CF8B

Function 0064541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064547B
_memcpy_s.LIBCMT ref: 006454ED
__read_nolock.LIBCMT ref: 0064554B
__filbuf.LIBCMT ref: 0064556E
_memset.LIBCMT ref: 006455B2

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 26e98994ce1d03fc4fddb8e84ce4f37b91b13ac5989830b873261ffbfab86d04
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: A451B570A00B05DBDB289FA9D8806BE77A7AF41321F24872DF8269A3D2D7709D518B40

Function 0062F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00640162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00640193
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0064019B
Part of subcall function 00640162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006401A6
Part of subcall function 00640162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006401B1
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006401B9
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006401C1

Part of subcall function 006360F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00636154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0062F9CD
OleInitialize.OLE32(00000000), ref: 0062FA4A
CloseHandle.KERNEL32(00000000), ref: 006645C8

Strings

%k, xrefs: 0062F796, 0062F7A8, 0062F96E, 0062FA51

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: %k
API String ID: 3094916012-3601005739
Opcode ID: 3a4184785250ddbf1c8db809d2a646496be64b5e00d689debd30896691f74b3f
Instruction ID: 5de141e906b1b270f3b52c5edf49d1845d4c3e8dc2e3fcdd16cd8899afea3c49
Opcode Fuzzy Hash: 3a4184785250ddbf1c8db809d2a646496be64b5e00d689debd30896691f74b3f
Instruction Fuzzy Hash: 5881ADB0911BC1CFC784EF29A984A597BE7FB9830E750A12ED11BCF2A1EB7044858F55

Function 006235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006235A1,SwapMouseButtons,00000004,?), ref: 006235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 006235F5
RegCloseKey.KERNELBASE(00000000,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 00623617

Strings

Control Panel\Mouse, xrefs: 006235D2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction ID: 4b2f9c9a7873933a64a06338a8652e5240d6d838875a4134420fa81ebffb05ff
Opcode Fuzzy Hash: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction Fuzzy Hash: CC114871610628BFDB209FA4EC40AEEB7BEEF05740F015469E805D7310E371AE409B60

Function 016B4350 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016B4B7D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016B4BA1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016B4BC3

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: aba848f41481e668e19d8d2fb7879f06e74ce004fa4a283c606a61c36d6cbfbb
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 5362FD30A142589BEB24CFA4CC90BDEB776EF58300F1091A9D10DEB395EB759E81CB59

Function 0068955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00624EE5: _fseek.LIBCMT ref: 00624EFD

Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689824
Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689837

_free.LIBCMT ref: 006896A2
_free.LIBCMT ref: 006896A9
_free.LIBCMT ref: 00689714

Part of subcall function 00642D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00649A24), ref: 00642D69
Part of subcall function 00642D55: GetLastError.KERNEL32(00000000,?,00649A24), ref: 00642D7B

_free.LIBCMT ref: 0068971C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 203ce446b8c6ae054de069cf6062cf0d3dacfde601e89f8990f01956b96e6c1c
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: AF5160B1D04218AFDF649F64DC81AAEBB7AEF88300F14059EF209A3341DB715A80CF58

Function 0064470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006447A0
__flush.LIBCMT ref: 006447C0
__write.LIBCMT ref: 006447F3
__flsbuf.LIBCMT ref: 00644821

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 930072b85efa6918722c0237b0a3d8508de926c50efee07a5ab237e07a604f43
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 3841A175A006459FDB188F69C882BEE7BA7AF42364B24857DE81587640EF70DD42CB44

Function 00624C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00624CBA

Strings

EA06, xrefs: 0065D8CC
AU3!P/k, xrefs: 00624CB4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/k$EA06
API String ID: 4104443479-947634993
Opcode ID: 8c0d22e2f88f1237fb2a920ce468136b9baedcb53aba8316af59e607727d43ae
Instruction ID: bbd69b95f2385a23fca851b9c0a40a4cfe5edac4177bed78f64de250fec821fc
Opcode Fuzzy Hash: 8c0d22e2f88f1237fb2a920ce468136b9baedcb53aba8316af59e607727d43ae
Instruction Fuzzy Hash: 13415C21A04A7857DF219B64FC917FE7FA39F45300F684869EC82DB386DE209D458FA1

Function 00688D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00688DAC
__fread_nolock.LIBCMT ref: 00688DC1

Strings

EA06, xrefs: 00688DF3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 78b77a54c0c916a178c33c9a6b6e43debc8199cce319ba48da43795c3daaa769
Instruction ID: 1631917c82f700ff4d183aa04757521ece419ad99e2c254eaeda88a9d19a5d03
Opcode Fuzzy Hash: 78b77a54c0c916a178c33c9a6b6e43debc8199cce319ba48da43795c3daaa769
Instruction Fuzzy Hash: 1801F971C042187FDB58DBA8C816EFE7BF9DF11301F00419FF552D2281E874A60487A0

Function 00640DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064571C: __FF_MSGBANNER.LIBCMT ref: 00645733
Part of subcall function 0064571C: __NMSG_WRITE.LIBCMT ref: 0064573A
Part of subcall function 0064571C: RtlAllocateHeap.NTDLL(01500000,00000000,00000001), ref: 0064575F

std::exception::exception.LIBCMT ref: 00640DEC
__CxxThrowException@8.LIBCMT ref: 00640E01

Part of subcall function 0064859B: RaiseException.KERNEL32(?,?,00000000,006D9E78,?,00000001,?,?,?,00640E06,00000000,006D9E78,00629E8C,00000001), ref: 006485F0

Strings

bad allocation, xrefs: 00640DE1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 8ee61882e812137eb458074c74a62260f7f8de58ff04e7a68f0b89d615f53e2a
Instruction ID: 85efb2d76d1933edb9145388143853d91f275441199cc1195d44c3b5daa33950
Opcode Fuzzy Hash: 8ee61882e812137eb458074c74a62260f7f8de58ff04e7a68f0b89d615f53e2a
Instruction Fuzzy Hash: ABF0A47190022AA6DB10BEA8EC219DE7BEE9F01311F10082EFA0496292DF709A9486D5

Function 006898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0068990F

Strings

aut, xrefs: 00689909

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bd3ee589cd398703f922f6789bf9c278881f5c03abd2eca070276a6ea4397805
Instruction ID: e1d2b9debb564981ca035f608afae9db7222dfe3cc4adfca61d3b2ba2d442495
Opcode Fuzzy Hash: bd3ee589cd398703f922f6789bf9c278881f5c03abd2eca070276a6ea4397805
Instruction Fuzzy Hash: 91D05B7594030D6BDB50ABD0DC0DFD6773DD704701F0002B1BA5491191D97066548F91

Function 0069CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0017ff7ee038409a8990686177ae785f8ada77d2f7003f95c09c46cdca49965a
Instruction ID: aea5431b28631a96d4ef8274c847f3412798afcec9c31766f8bcf5cc13f01af2
Opcode Fuzzy Hash: 0017ff7ee038409a8990686177ae785f8ada77d2f7003f95c09c46cdca49965a
Instruction Fuzzy Hash: B5F14E716087019FCB54DF28C48096ABBEAFF89324F54892EF8999B351D730E945CF92

Function 0062434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00624370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00624415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00624432

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 996159dbc1dd275f799f0c5fa0b167a1bb7a54a406a0ca06eae7b33cc687d488
Instruction ID: 356b029bf32afa71db83a8683f18bee543af054ed971620656965daf156ba5b5
Opcode Fuzzy Hash: 996159dbc1dd275f799f0c5fa0b167a1bb7a54a406a0ca06eae7b33cc687d488
Instruction Fuzzy Hash: 5F319370505B118FD720EF24E8846DBBBF9FB48308F00092EF69A86351DB70A944CF52

Function 0064571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00645733

Part of subcall function 0064A16B: __NMSG_WRITE.LIBCMT ref: 0064A192
Part of subcall function 0064A16B: __NMSG_WRITE.LIBCMT ref: 0064A19C

__NMSG_WRITE.LIBCMT ref: 0064573A

Part of subcall function 0064A1C8: GetModuleFileNameW.KERNEL32(00000000,006E33BA,00000104,00000000,00000001,00000000), ref: 0064A25A
Part of subcall function 0064A1C8: ___crtMessageBoxW.LIBCMT ref: 0064A308

Part of subcall function 0064309F: ___crtCorExitProcess.LIBCMT ref: 006430A5
Part of subcall function 0064309F: ExitProcess.KERNEL32 ref: 006430AE

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

RtlAllocateHeap.NTDLL(01500000,00000000,00000001), ref: 0064575F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 43074822e8364324c366b728482692f5c51a0dc9f6610e3d1a4f638244a33785
Instruction ID: 617e525efd6fd0215cd2399ca90d6cf5e02836d5212374fcf9164b07599804b4
Opcode Fuzzy Hash: 43074822e8364324c366b728482692f5c51a0dc9f6610e3d1a4f638244a33785
Instruction Fuzzy Hash: 0401DE31240B21EFE7513B78EC86AAE738B8F82761F101539F5069B382EE749D014A69

Function 006898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00689548,?,?,?,?,?,00000004), ref: 006898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00689548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006898D1
CloseHandle.KERNEL32(00000000,?,00689548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006898D8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction ID: 237b5005c78ec637e27f70c2ce33c9eeed0bb840da2ea39c07fab485c28ac451
Opcode Fuzzy Hash: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction Fuzzy Hash: EFE08632240214BBDB313B94EC09FDA7B5AAB07760F144221FB54691E087B129119BD9

Function 00688D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00688D1B

Part of subcall function 00642D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00649A24), ref: 00642D69
Part of subcall function 00642D55: GetLastError.KERNEL32(00000000,?,00649A24), ref: 00642D7B

_free.LIBCMT ref: 00688D2C
_free.LIBCMT ref: 00688D3E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 19073b72f6157b86c3bd1d831e93801bba71843a23933c05eddb933223a97924
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 6FE012A1A016024ACB64B678A940AD313DE8F9C392FA40A1DF40DD7286DE64FC828228

Function 0062A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0065FC01

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 19395b65963c0f1c94d8a34af575960ac44c0ff45ed4e795893e12eb4f0de314
Instruction ID: 653ba0b983189342a21755959dcd047921fc3c10f64b46d73c07c1e8ee0b7a1d
Opcode Fuzzy Hash: 19395b65963c0f1c94d8a34af575960ac44c0ff45ed4e795893e12eb4f0de314
Instruction Fuzzy Hash: CB225670608B21DFDB24DF54D490A6AB7E2BF84304F14896DE88A9B362D771EC45CF86

Function 00627A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00627AAB
_memmove.LIBCMT ref: 00627B16

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: f7d734698e9ba13a032664dd20c3865f6e8ca0eafd3f72976f2ff5e999f4e0c8
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: E831B6B1604A16AFC704DF68D8D1D69F3AAFF48320715862DE919CB791EB30E921CF94

Function 006247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74D2C8D0.UXTHEME ref: 00624834

Part of subcall function 0064336C: __lock.LIBCMT ref: 00643372
Part of subcall function 0064336C: RtlDecodePointer.NTDLL(00000001), ref: 0064337E
Part of subcall function 0064336C: RtlEncodePointer.NTDLL(?), ref: 00643389

Part of subcall function 006248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00624915
Part of subcall function 006248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0062492A

Part of subcall function 00623B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B68
Part of subcall function 00623B3A: IsDebuggerPresent.KERNEL32 ref: 00623B7A
Part of subcall function 00623B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006E52F8,006E52E0,?,?), ref: 00623BEB
Part of subcall function 00623B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00623C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00624874

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 9a4a29ec9d92f0f9ba9b4bd087454b0e6993be3616476ffb3160aa80d5ea0400
Instruction ID: 1b2c0818f0a49f73f437a02875f9b4066f0af8f9bbbc7caf2d68c8b7012b197c
Opcode Fuzzy Hash: 9a4a29ec9d92f0f9ba9b4bd087454b0e6993be3616476ffb3160aa80d5ea0400
Instruction Fuzzy Hash: 7511DF718087A19FC700EF68E88580ABFEAEF99750F10891EF1418B2B1DB70D604CF96

Function 006455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064562C
__lock_file.LIBCMT ref: 0064564D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 2e6992d90879e38aa75cf8e9d52df6135063504821721812304379d401254f48
Instruction ID: 63a08cd6a681a0779b2f807870a5a5b3dcca370d1449ea71c463bd37374ff14a
Opcode Fuzzy Hash: 2e6992d90879e38aa75cf8e9d52df6135063504821721812304379d401254f48
Instruction Fuzzy Hash: FF01FC71C01A04EFCF51AFA88C064DE7B63AF52321F514119F8141B262DB318511DF55

Function 006453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

__lock_file.LIBCMT ref: 006453EB

Part of subcall function 00646C11: __lock.LIBCMT ref: 00646C34

__fclose_nolock.LIBCMT ref: 006453F6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f92e061af294de62b4a76010d45d046dce902e14a12e73332f6086d0aa5be167
Instruction ID: a75bd8deb79e9fc797bc8fda98887e15e0eebc4887e7ffdf1a78df4b430d119d
Opcode Fuzzy Hash: f92e061af294de62b4a76010d45d046dce902e14a12e73332f6086d0aa5be167
Instruction Fuzzy Hash: CDF0F631C00A009FD7516F6488057ED6AE26F41374F20810CA421AB1C2DBBC49019B5A

Function 016B434D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016B4B7D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016B4BA1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016B4BC3

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 1e5a9e0a9230c888f77987ea46ff8a7882149fdb0b31eee54b063e6ee32bb246
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: DC12CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A

Function 00640C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00640CB7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 650b96cf7f6b7a4a8f8b94fe166782ae82308188674715cc4813a89efc446a3b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4A31C070A00115EBE718DF58D4C4AA9F7B6FB99300B6486A5E90ACB351DA31EDC2DBC0

Function 0065FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0065FCB7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1e52585e9a49481af360846c5ffe6d93771b85e36150a0aba6a5a9923ecda7a5
Instruction ID: 1cfe8ab22770ac7eba9c563905ae5fae8942a71e4a6fdb365338184af58c5d7f
Opcode Fuzzy Hash: 1e52585e9a49481af360846c5ffe6d93771b85e36150a0aba6a5a9923ecda7a5
Instruction Fuzzy Hash: 644137746087518FDB24DF64C444B5ABBE2BF45318F0989ACE9998B362C372EC45CF52

Function 00627B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00627BB3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3efc14475bded5e9e997421ffcdd80db02a2ab17949cef719348de52d857aad0
Instruction ID: 100ca4d8e0787d4627d421356fbfe7a9d37471e222b01053829c39700cfc7ea2
Opcode Fuzzy Hash: 3efc14475bded5e9e997421ffcdd80db02a2ab17949cef719348de52d857aad0
Instruction Fuzzy Hash: D1214872A04A19EBDF188F11F841B697BB7FF14352F20846EE896C5190EB31C2D4CB05

Function 00624DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00624BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00624BEF

Part of subcall function 0064525B: __wfsopen.LIBCMT ref: 00645266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E0F

Part of subcall function 00624B6A: FreeLibrary.KERNEL32(00000000), ref: 00624BA4

Part of subcall function 00624C70: _memmove.LIBCMT ref: 00624CBA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: deb2ba984f8831616f1ed231edb635e9657be15e12ead91718dfb03b5204bdb4
Instruction ID: 050b9239aad463899c53fbdfae097e535bb66e2e02a92acada79f1c2b29e917c
Opcode Fuzzy Hash: deb2ba984f8831616f1ed231edb635e9657be15e12ead91718dfb03b5204bdb4
Instruction Fuzzy Hash: FE112731600616ABDF20BFB0D802FAD77ABAF84750F10842DF981AB1C1DE719A019F55

Function 0065FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0065FD91

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a68fba13633335e3e7e8410ab42f18bc96cd2220293bcc2651e0938421bb0908
Instruction ID: fde2532e344238b964aa39466cbd90e5d17ae6310b308cad7352aa22fa3b95d0
Opcode Fuzzy Hash: a68fba13633335e3e7e8410ab42f18bc96cd2220293bcc2651e0938421bb0908
Instruction Fuzzy Hash: 14213374608711DFDB54DF64D444A5ABBE2BF88314F04896CF98A57722C731E805CF92

Function 00644863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006448A6

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: bb05233535a83c6bd24d326e55148122ed9878bb016c02bf2a3f248be5b24f09
Instruction ID: 076d10c39cd11088528951e08e20e253db08e3e84a3a002739031fac43c501bd
Opcode Fuzzy Hash: bb05233535a83c6bd24d326e55148122ed9878bb016c02bf2a3f248be5b24f09
Instruction Fuzzy Hash: B2F0AF31D01609EFDF91AFA48C067EE36A3AF01325F158418F424AB292CF79C951DB55

Function 00624E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E7E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fd64f73aabe1eac26f939c94ba84d23ed9b8619f66e1dc2e93ac11e224bc71cd
Instruction ID: 0a4ecd472823315ae5927982e468e21f12039798be9e4d20454c24e19b6b1482
Opcode Fuzzy Hash: fd64f73aabe1eac26f939c94ba84d23ed9b8619f66e1dc2e93ac11e224bc71cd
Instruction Fuzzy Hash: 2BF03071505B22CFDB349F64E494852B7E2BF14325311893EE2D786611CB319840DF40

Function 00640791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006407B0

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 95a239556573a672e6cd437370dc0134c0ba770cf9a141992de6aca725ca25c5
Instruction ID: ec3adca7736c76c051c676f17afa0440b2cf29f78130f2671d94fee8b5c7c832
Opcode Fuzzy Hash: 95a239556573a672e6cd437370dc0134c0ba770cf9a141992de6aca725ca25c5
Instruction Fuzzy Hash: 8CE0CD369051285BC720E6989C05FEA77DEDFC97A2F0441B9FC4CD7254D9A0AD808AD5

Function 00688E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00688EC1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 38e84488c2b2ab6ed4822b8426aaa1b0043ed3eb1cb7a577cc6985f5203754ad
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 5FE092B0104B045FD7389A24D800BE373E2AB05304F00091DF2AA93342EB6278418759

Function 0064525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00645266

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fa004094fc970d5c6ddd0c2c4e7e8aa8d25aa75cacfbe6f1c0cf079ebec05a64
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: AEB0927644020C77CF012A82EC02A4A3B1A9B41764F408021FB0C18162A6B3A6649A89

Function 016B534C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016B5361

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f176ec8f09312bf55f55131ab36109ecc4b9531a06e28b19e750f6861d17a1b9
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 0AE0BF7494110DEFDB00EFB4D9496DE7BB4EF04301F1005A1FD05D7681DB709E548A62

Function 016B5350 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016B5361

Memory Dump Source

Source File: 00000001.00000002.1280074208.00000000016B3000.00000040.00000020.00020000.00000000.sdmp, Offset: 016B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_16b3000_F0DgoRk0p1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 2bf3e341384355db98d2440d26673342faa945f63eb26e685382c8f760790d19
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0CE0E67494110DDFDB00EFB4D9496DE7FB4EF04301F100161FD01D2281D6709D508A62

Non-executed Functions

Function 006ACABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 006ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACB95
GetWindowLongW.USER32(?,000000F0), ref: 006ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACC00
SendMessageW.USER32 ref: 006ACC29
_wcsncpy.LIBCMT ref: 006ACC95
GetKeyState.USER32(00000011), ref: 006ACCB6
GetKeyState.USER32(00000009), ref: 006ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACCD9
GetKeyState.USER32(00000010), ref: 006ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACD0C
SendMessageW.USER32 ref: 006ACD33
SendMessageW.USER32(?,00001030,?,006AB348), ref: 006ACE37
SetCapture.USER32(?), ref: 006ACE69
ClientToScreen.USER32(?,?), ref: 006ACECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006ACEF5
ReleaseCapture.USER32 ref: 006ACF00
GetCursorPos.USER32(?), ref: 006ACF3A
ScreenToClient.USER32(?,?), ref: 006ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 006ACFA3
SendMessageW.USER32 ref: 006ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD00E
SendMessageW.USER32 ref: 006AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006AD06D
GetCursorPos.USER32(?), ref: 006AD08D
ScreenToClient.USER32(?,?), ref: 006AD09A
GetParent.USER32(?), ref: 006AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD123
SendMessageW.USER32 ref: 006AD154
ClientToScreen.USER32(?,?), ref: 006AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD20C
SendMessageW.USER32 ref: 006AD22F
ClientToScreen.USER32(?,?), ref: 006AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006AD2B5

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetWindowLongW.USER32(?,000000F0), ref: 006AD351

Strings

F, xrefs: 006AD235
@GUI_DRAGID, xrefs: 006ACE9C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: 941b0674d2d1cb306d09e1648cc842d663b256ee8f7ef13c0da362ecaa7a1dc0
Instruction ID: 986be0ccbf209f6b9b94e2b64cfdb6f8c4f5dcc7303815e5865f985e7a3633d0
Opcode Fuzzy Hash: 941b0674d2d1cb306d09e1648cc842d663b256ee8f7ef13c0da362ecaa7a1dc0
Instruction Fuzzy Hash: 04429D34204741AFDB24EF64C894AAABBE6FF4A320F141559F556872A1C732EC50DFA2

Function 00636F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006371C3
_memset.LIBCMT ref: 00637539
_memmove.LIBCMT ref: 006376AC

Strings

\b(?=\w), xrefs: 00673769
[:>:]], xrefs: 00637492
Q\E, xrefs: 00637FCB
\b(?<=\w), xrefs: 00673773
_c, xrefs: 006723CB
DEFINE, xrefs: 00672103
3cc, xrefs: 006723A0
[:<:]], xrefs: 00637479

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3cc$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_c
API String ID: 1357608183-306146363
Opcode ID: 36ee253df393f249322d5a2a75a45a124560239b6574e65f524b142246ffcbc3
Instruction ID: c18d6c14ba57446e736c93a3c20881fd5751ba1544ede8f95f41f7aa676efb82
Opcode Fuzzy Hash: 36ee253df393f249322d5a2a75a45a124560239b6574e65f524b142246ffcbc3
Instruction Fuzzy Hash: 37939471A04216DFDB24CF58C8917EDB7B2FF48710F25816AE959AB381E7709D82DB80

Function 006248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0065D665
IsIconic.USER32(?), ref: 0065D66E
ShowWindow.USER32(?,00000009), ref: 0065D67B
SetForegroundWindow.USER32(?), ref: 0065D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0065D69B
GetCurrentThreadId.KERNEL32 ref: 0065D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0065D6CF
SetForegroundWindow.USER32(?), ref: 0065D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D6E7
keybd_event.USER32(00000012,00000000), ref: 0065D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D6FC
keybd_event.USER32(00000012,00000000), ref: 0065D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D70A
keybd_event.USER32(00000012,00000000), ref: 0065D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D719
keybd_event.USER32(00000012,00000000), ref: 0065D71E
SetForegroundWindow.USER32(?), ref: 0065D721
AttachThreadInput.USER32(?,?,00000000), ref: 0065D748

Strings

Shell_TrayWnd, xrefs: 0065D660

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bbf39c45ba901beb20547f0c7c846a14cfb11c12b8f02a13f7727376b2f17adf
Instruction ID: 87335f3673cc304410890a2259685392c2d2061225e1b65f9f76b75568c27818
Opcode Fuzzy Hash: bbf39c45ba901beb20547f0c7c846a14cfb11c12b8f02a13f7727376b2f17adf
Instruction Fuzzy Hash: 6A316271A40318BBEB306FA19C49FBF7E6EEB45B51F105025FA04EA1D1C6B06941AFA1

Function 0068C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C78D
FindClose.KERNEL32(00000000), ref: 0068C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0068C844
__swprintf.LIBCMT ref: 0068C890
__swprintf.LIBCMT ref: 0068C8D3

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

__swprintf.LIBCMT ref: 0068C927

Part of subcall function 00643698: __woutput_l.LIBCMT ref: 006436F1

__swprintf.LIBCMT ref: 0068C975

Part of subcall function 00643698: __flsbuf.LIBCMT ref: 00643713
Part of subcall function 00643698: __flsbuf.LIBCMT ref: 0064372B

__swprintf.LIBCMT ref: 0068C9C4
__swprintf.LIBCMT ref: 0068CA13
__swprintf.LIBCMT ref: 0068CA62

Strings

%4d, xrefs: 0068C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0068C88A
%02d, xrefs: 0068C91B, 0068C925, 0068C973, 0068C9C2, 0068CA11, 0068CA60

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 29e3699ffa9371f7b2c7dfda50e5a9ff8f097714f4c7f3e593a251636e6ada55
Instruction ID: 1e57ff5922c3d59946d7cd9a5ee6d4f86a6302995002d86eb4f1ded3a1aea06e
Opcode Fuzzy Hash: 29e3699ffa9371f7b2c7dfda50e5a9ff8f097714f4c7f3e593a251636e6ada55
Instruction Fuzzy Hash: 80A14CB1408754ABC754EFA4D885DAFB7EEBF85700F40091EF58587291EA34EA08CF66

Function 0068EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0068EFB6
_wcscmp.LIBCMT ref: 0068EFCB
_wcscmp.LIBCMT ref: 0068EFE2
GetFileAttributesW.KERNEL32(?), ref: 0068EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0068F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0068F026
FindClose.KERNEL32(00000000), ref: 0068F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F04D
_wcscmp.LIBCMT ref: 0068F074
_wcscmp.LIBCMT ref: 0068F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F09D
SetCurrentDirectoryW.KERNEL32(006D8920), ref: 0068F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F0C5
FindClose.KERNEL32(00000000), ref: 0068F0D2
FindClose.KERNEL32(00000000), ref: 0068F0E4

Strings

*.*, xrefs: 0068F048

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: a3acdf50a8293074056b21372665cc9ef49ed089d1f54ec1dc3d2aa036dfb5d2
Instruction ID: de321aaf10174b33b88985fc0624e67aaad5689d33ad1b4cab8a723cabfbe9f7
Opcode Fuzzy Hash: a3acdf50a8293074056b21372665cc9ef49ed089d1f54ec1dc3d2aa036dfb5d2
Instruction Fuzzy Hash: 8D31C3325012196EDB24BBE4DC68BEE77AE9F49360F100276E844E3291DB70EE44CF65

Function 006A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,006AF910,00000000,?,00000000,?,?), ref: 006A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006A0A92
RegCloseKey.ADVAPI32(?), ref: 006A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 006A0DBF

Strings

REG_QWORD, xrefs: 006A0D00
REG_SZ, xrefs: 006A0AD0
REG_DWORD, xrefs: 006A0C83
REG_EXPAND_SZ, xrefs: 006A0A2F
REG_BINARY, xrefs: 006A0D4D
REG_MULTI_SZ, xrefs: 006A0B7A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9325d6eb5e645ab0f3ae51ceaebbc45e48284ea5d43fe53ae1e629f1bf704eea
Instruction ID: 750f0b418becac1ed9669e6ec1c1cfd5bfbce5dcb1933a695c4051dfb95ca51f
Opcode Fuzzy Hash: 9325d6eb5e645ab0f3ae51ceaebbc45e48284ea5d43fe53ae1e629f1bf704eea
Instruction Fuzzy Hash: 860258756006119FDB54EF24D851E6AB7E6EF8A310F04895CF88A9B3A2CB34EC01CF95

Function 006AC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DragQueryPoint.SHELL32(?,?), ref: 006AC627

Part of subcall function 006AAB37: ClientToScreen.USER32(?,?), ref: 006AAB60
Part of subcall function 006AAB37: GetWindowRect.USER32(?,?), ref: 006AABD6
Part of subcall function 006AAB37: PtInRect.USER32(?,?,006AC014), ref: 006AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 006AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006AC6BE
_wcscat.LIBCMT ref: 006AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 006AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 006AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 006AC757
DragFinish.SHELL32(?), ref: 006AC75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 006AC851

Strings

@GUI_DRAGFILE, xrefs: 006AC800
@GUI_DROPID, xrefs: 006AC77E
@GUI_DRAGID, xrefs: 006AC7C9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 47ced03031d16209c941e9faa8f3bddb1d3217432054c2d96528dded8a16ad60
Instruction ID: ccdab7b19303ff2898d43531e36a53e8efb80b241cfcbaad96540312aca76da2
Opcode Fuzzy Hash: 47ced03031d16209c941e9faa8f3bddb1d3217432054c2d96528dded8a16ad60
Instruction Fuzzy Hash: D4617D71508310AFC701EF64DC85D9FBBEAEF8A710F00092EF591962A1DB30A949CF96

Function 0068F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 0068F113
_wcscmp.LIBCMT ref: 0068F128
_wcscmp.LIBCMT ref: 0068F13F

Part of subcall function 00684385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0068F16E
FindClose.KERNEL32(00000000), ref: 0068F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F195
_wcscmp.LIBCMT ref: 0068F1BC
_wcscmp.LIBCMT ref: 0068F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F1E5
SetCurrentDirectoryW.KERNEL32(006D8920), ref: 0068F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F20D
FindClose.KERNEL32(00000000), ref: 0068F21A
FindClose.KERNEL32(00000000), ref: 0068F22C

Strings

*.*, xrefs: 0068F190

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ee05a906f35f036c6190e3c87307be7c2a8d5f826332decf6f9845efd0015f66
Instruction ID: 7974f6a4d6cac6e3e302704899f47a14501a81253f436b1ba6d7baffb96d4e97
Opcode Fuzzy Hash: ee05a906f35f036c6190e3c87307be7c2a8d5f826332decf6f9845efd0015f66
Instruction Fuzzy Hash: FF31B7365001196ADB24BBE4EC69BEE77AE9F45360F100275E840E3290DB71DF45CF69

Function 0068A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0068A20F
__swprintf.LIBCMT ref: 0068A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0068A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0068A293
_memset.LIBCMT ref: 0068A2B2
_wcsncpy.LIBCMT ref: 0068A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0068A323
CloseHandle.KERNEL32(00000000), ref: 0068A32E
RemoveDirectoryW.KERNEL32(?), ref: 0068A337
CloseHandle.KERNEL32(00000000), ref: 0068A341

Strings

\, xrefs: 0068A247
\??\%s, xrefs: 0068A22B
:, xrefs: 0068A252

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 37eaf9ba7bfb2f1cfb2a047dcf17b4597a2faf6d776a255b9a7c6162a0209963
Instruction ID: fcffe27ce78eef8ad8b815bcb75d2104ec3e0259daf3175391aad20cd0c39c67
Opcode Fuzzy Hash: 37eaf9ba7bfb2f1cfb2a047dcf17b4597a2faf6d776a255b9a7c6162a0209963
Instruction Fuzzy Hash: F23182B1900109ABDB21AFE0DC49FEB77BEEF89740F1041B6F908D6250E77197448B65

Function 006AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006AC1FC
GetFocus.USER32 ref: 006AC20C
GetDlgCtrlID.USER32(00000000), ref: 006AC217
_memset.LIBCMT ref: 006AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006AC36D
GetMenuItemCount.USER32(?), ref: 006AC38D
GetMenuItemID.USER32(?,00000000), ref: 006AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006AC454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 006AC489

Strings

0, xrefs: 006AC33A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: e29ea70dea41f72b0256ceccd54748d50f952c2fd02c233136b65a70162b67ec
Instruction ID: b39775455dc34053daba38c6f11c0d09777bfd6e6d03142153016613aad768d8
Opcode Fuzzy Hash: e29ea70dea41f72b0256ceccd54748d50f952c2fd02c233136b65a70162b67ec
Instruction Fuzzy Hash: E1818D706083119FDB10EF54C894AABBBE6EF8A324F00492DF99597291D730DD05CF96

Function 006366E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 006711FC
LIMIT_MATCH=, xrefs: 00671170
_c, xrefs: 00671465, 0067150C, 006715B4
BSR_ANYCRLF), xrefs: 0067131E
CR), xrefs: 00671287
ANY), xrefs: 006712DE
BSR_UNICODE), xrefs: 00671338
LF), xrefs: 006712A4
CRLF), xrefs: 006712C1
NO_AUTO_POSSESS), xrefs: 0067112E
UTF16), xrefs: 006710CF
ANYCRLF), xrefs: 006712FB
UTF), xrefs: 006710FA
3cc, xrefs: 006368FF
NO_START_OPT), xrefs: 0067114F
UCP), xrefs: 0067110D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID: 3cc$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_c
API String ID: 0-3822978975
Opcode ID: 7185eb594d6550c741ccb442fa87501689a5bdaa84dc7aeac3d96e3bfd06d629
Instruction ID: 27f9f0bc7a89536fda01e6cbb7e95314a78e8fa92e9e3d9a05187d704d222e79
Opcode Fuzzy Hash: 7185eb594d6550c741ccb442fa87501689a5bdaa84dc7aeac3d96e3bfd06d629
Instruction Fuzzy Hash: 62724E75E002199BDB14CF59C8807EEB7B6FF45710F14C16AE85AEB391EB709A81CB90

Function 0068001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00680097
SetKeyboardState.USER32(?), ref: 00680102
GetAsyncKeyState.USER32(000000A0), ref: 00680122
GetKeyState.USER32(000000A0), ref: 00680139
GetAsyncKeyState.USER32(000000A1), ref: 00680168
GetKeyState.USER32(000000A1), ref: 00680179
GetAsyncKeyState.USER32(00000011), ref: 006801A5
GetKeyState.USER32(00000011), ref: 006801B3
GetAsyncKeyState.USER32(00000012), ref: 006801DC
GetKeyState.USER32(00000012), ref: 006801EA
GetAsyncKeyState.USER32(0000005B), ref: 00680213
GetKeyState.USER32(0000005B), ref: 00680221

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction ID: 5a0dd8819fec04189d7f1210d49a8cda484276dfb6b5277213693a18da0d93d5
Opcode Fuzzy Hash: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction Fuzzy Hash: 2351EF309047882DFB75FBA088557EABFB69F02380F084B9DD5C15A2C3DAA49B8CC751

Function 006A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A04AC

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006A0822
RegCloseKey.ADVAPI32(00000000), ref: 006A082F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e39a751975b75391fa8ff5fff81b2f98180fc0ba48e6dcdb8041b680e32532b4
Instruction ID: 2d8c01e566101d8bb66642186af8ecaf33dc0ce706c832f76569e91c1b2c2917
Opcode Fuzzy Hash: e39a751975b75391fa8ff5fff81b2f98180fc0ba48e6dcdb8041b680e32532b4
Instruction Fuzzy Hash: BAE16F31604210AFDB54EF24C895D6ABBE6FF8A314F04896DF44ADB261D631ED01CF96

Function 006983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CoInitialize.OLE32 ref: 00698403
CoUninitialize.COMBASE ref: 0069840E
CoCreateInstance.COMBASE(?,00000000,00000017,006B2BEC,?), ref: 0069846E
IIDFromString.COMBASE(?,?), ref: 006984E1
VariantInit.OLEAUT32(?), ref: 0069857B
VariantClear.OLEAUT32(?), ref: 006985DC

Strings

Failed to create object, xrefs: 00698479, 0069852F
Invalid parameter, xrefs: 006984FA
NULL Pointer assignment, xrefs: 006984B3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: f60117f5b366d3d0d3ae969b1a838bff738f2d2e45e2afb6ea710ea36f2928d9
Instruction ID: a6792b1a7383dcf0688ef3e99ddf51e45fe68ae7f5cf11e7bf33e24963fd1fdb
Opcode Fuzzy Hash: f60117f5b366d3d0d3ae969b1a838bff738f2d2e45e2afb6ea710ea36f2928d9
Instruction Fuzzy Hash: E361E4706083129FCB50DF64C848F9EB7EAAF8A754F04441DF9859B691CB70ED49CB92

Function 00694164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0069418B
EmptyClipboard.USER32 ref: 00694191
GlobalAlloc.KERNEL32(00000002,?), ref: 006941A6
CloseClipboard.USER32 ref: 00694245

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2f90630026b1d4cfb62efc889aced2c212807af0f1a59aea9c7957acdce3e156
Instruction ID: f230954eb73c96d8d22202b448384b548c6fc4f184fc89ad7db22e08cb86dfe8
Opcode Fuzzy Hash: 2f90630026b1d4cfb62efc889aced2c212807af0f1a59aea9c7957acdce3e156
Instruction Fuzzy Hash: 1821BF352006109FDB10AFA0EC09F697BAAFF46350F14802AF9469B2A1CB34BD02CF59

Function 006837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

FindFirstFileW.KERNEL32(?,?), ref: 006838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0068394B
MoveFileW.KERNEL32(?,?), ref: 0068395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0068397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006839B9

Strings

\*.*, xrefs: 0068384E, 00683857, 0068386C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 276ea7a29092f5d63d1eeeaaa8d7a5bd17081b53ad3b433788ea5bb474dbf33d
Instruction ID: 3733d9b24c8ccab10ce0b56a6b0bd1ae99f70bf4336b209bfece112356ef1f29
Opcode Fuzzy Hash: 276ea7a29092f5d63d1eeeaaa8d7a5bd17081b53ad3b433788ea5bb474dbf33d
Instruction Fuzzy Hash: DE517B3180556DAACF15FBA0E992DEDB77AAF11300F600269E40276291EF316F09CF65

Function 0068F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0068F440
Sleep.KERNEL32(0000000A), ref: 0068F470
_wcscmp.LIBCMT ref: 0068F484
_wcscmp.LIBCMT ref: 0068F49F
FindNextFileW.KERNEL32(?,?), ref: 0068F53D
FindClose.KERNEL32(00000000), ref: 0068F553

Strings

*.*, xrefs: 0068F425

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 1c7e1f2eb6b5d1ce7dc17933c45ce49c19b910d89153e2aed0e3b2264a6ebf85
Instruction ID: b740442d82ade455850f12482f1a6b90a974add97e1194d4b4b1074b9cbea8c3
Opcode Fuzzy Hash: 1c7e1f2eb6b5d1ce7dc17933c45ce49c19b910d89153e2aed0e3b2264a6ebf85
Instruction Fuzzy Hash: 5841B17190021A9FCF54EFA4DC49AEEBBB6FF15310F10456AE815A3291DB30AE85CF91

Function 006AD43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetSystemMetrics.USER32(0000000F), ref: 006AD47C
GetSystemMetrics.USER32(0000000F), ref: 006AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006AD716
ShowWindow.USER32(00000003,00000000), ref: 006AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 006AD75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 006AD77D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: dd68bdb146d324bf2e2db7cb47460d5a514dd7154d3341d19810a630dbeeeedd
Instruction ID: 03200f7b08be2d556dde7ccaac994bc287486279fbefe6f930bf78ec17455b6e
Opcode Fuzzy Hash: dd68bdb146d324bf2e2db7cb47460d5a514dd7154d3341d19810a630dbeeeedd
Instruction Fuzzy Hash: 33B19A71600225ABDF18EF68C9857ED7BB2BF0A701F089069EC4A9B695D734AD50CF90

Function 00633030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_c, xrefs: 00633322
3cc, xrefs: 00633225

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cc$_c
API String ID: 674341424-1111051329
Opcode ID: c5bfea5f1f9fb9cbfce1c7670ea2a81dc75529a9fca11d7bd43366263f68932a
Instruction ID: 47635ffd8e32e4914e44246dd2b81a931c9b9bfd4dfe3779e42c5961f5e77aeb
Opcode Fuzzy Hash: c5bfea5f1f9fb9cbfce1c7670ea2a81dc75529a9fca11d7bd43366263f68932a
Instruction Fuzzy Hash: 8F22BD716087109FD764DF24D881BAFB7E6AF84310F04492CF88A97392DB31EA45CB96

Function 0067E616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0067E628

Strings

InterfaceDispatch, xrefs: 0067E7DE
Release, xrefs: 0067E946
QueryInterface, xrefs: 0067E871
|, xrefs: 0067E658
AddRef, xrefs: 0067E8FE
(, xrefs: 0067E66E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 39192d7be05cdc3d92c7f7dcf2e5a037861e6a83ca8f613d66f8501cb417c29a
Instruction ID: 1331a9d4d8f13975597bf675d084e7b5d80082bbcd0354badf5745c8e2f5760c
Opcode Fuzzy Hash: 39192d7be05cdc3d92c7f7dcf2e5a037861e6a83ca8f613d66f8501cb417c29a
Instruction Fuzzy Hash: 87322575A007059FD728CF29C4819AAB7F2FF48310B15C4AEE99ADB3A1E771E941CB44

Function 00635760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006358A5
_memmove.LIBCMT ref: 006358F5
_memmove.LIBCMT ref: 0063595B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 93b6aa0f353b039bd0b98147807972af6711bceb4a57fef92f53220a3c3cbf6e
Instruction ID: cb22968637a3c9b65dc44b15d49a6064508418579f702fdc28ee8cde5fcaa765
Opcode Fuzzy Hash: 93b6aa0f353b039bd0b98147807972af6711bceb4a57fef92f53220a3c3cbf6e
Instruction Fuzzy Hash: 74129E70A00619DFDF14DFA5D981AEEB7F6FF48300F108569E406E7290EB35A911CBA5

Function 00683B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

FindFirstFileW.KERNEL32(?,?), ref: 00683B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00683BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00683BEA
FindClose.KERNEL32(00000000), ref: 00683C01
FindClose.KERNEL32(00000000), ref: 00683C0A

Strings

\*.*, xrefs: 00683B5B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2473279fb88aedb8691a68b996a273f17fd13ef586425509dec30b7462f39c2f
Instruction ID: 3857f9bcd2fa889c4fbb542cf027624e963a76cebb0299d4dab145774633795c
Opcode Fuzzy Hash: 2473279fb88aedb8691a68b996a273f17fd13ef586425509dec30b7462f39c2f
Instruction Fuzzy Hash: F63192710087959FC340FF64D891DAFB7EAAE92310F404E1DF4D592291EB21DA09CB67

Function 006851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067882B
Part of subcall function 006787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678858
Part of subcall function 006787E1: GetLastError.KERNEL32 ref: 00678865

ExitWindowsEx.USER32(?,00000000), ref: 006851F9

Strings

@, xrefs: 006851EC
SeShutdownPrivilege, xrefs: 006851C9
, xrefs: 006851E7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1400f7a833b8e2beccd5dd053696030a7f14718961e0c640d84628a3c25578ec
Instruction ID: 25c64bdfecc8b5333dd49ca332beb94cbebd654d3aebbb5dced0e94f7d60b559
Opcode Fuzzy Hash: 1400f7a833b8e2beccd5dd053696030a7f14718961e0c640d84628a3c25578ec
Instruction Fuzzy Hash: 04014C316A16116BE72873649CBAFFA725BE705340F100625F843E21D2DD511D014790

Function 00696283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 006962DC
WSAGetLastError.WS2_32(00000000), ref: 006962EB
bind.WS2_32(00000000,?,00000010), ref: 00696307
listen.WS2_32(00000000,00000005), ref: 00696316
WSAGetLastError.WS2_32(00000000), ref: 00696330
closesocket.WS2_32(00000000), ref: 00696344

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 489d8d91019ffb36e52b72cfe4b380acd614d2c158f42a97e5e48d09d693fba2
Instruction ID: 4042f3219d4c5c8ae0888f8acc0b8054f212a14f338d2fd83f02bb1f822a7885
Opcode Fuzzy Hash: 489d8d91019ffb36e52b72cfe4b380acd614d2c158f42a97e5e48d09d693fba2
Instruction Fuzzy Hash: B421D0316006109FCF10EF64D885AAEB7BAEF49720F148159F856A73D1C770AD01CF65

Function 00635520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

_memmove.LIBCMT ref: 00670258
_memmove.LIBCMT ref: 0067036D
_memmove.LIBCMT ref: 00670414

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 7f84084d6c90706efbbbccf4bdbb7efae551ca13fd0c6a3c512434ebc6cc88d9
Instruction ID: b6edbaf0e7b69a209991ad3efe746118b8eda1f47653486112c7922fd9918700
Opcode Fuzzy Hash: 7f84084d6c90706efbbbccf4bdbb7efae551ca13fd0c6a3c512434ebc6cc88d9
Instruction Fuzzy Hash: A002BEB0E00619DBDF04DF64D982AAEBBB6EF44310F14806DE80ADB355EB31D951CBA5

Function 00621287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 006219FA
GetSysColor.USER32(0000000F), ref: 00621A4E
SetBkColor.GDI32(?,00000000), ref: 00621A61

Part of subcall function 00621290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 006212D8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 4d7db3f8fdcec27df5c970f924951c12f1526bcfef8441fc5a51c1bba8cc913b
Instruction ID: faeff168ff9b75a139425bad54b8c4576929e4ff0c493328893a5ba204c6c130
Opcode Fuzzy Hash: 4d7db3f8fdcec27df5c970f924951c12f1526bcfef8441fc5a51c1bba8cc913b
Instruction Fuzzy Hash: 4CA17B7110AD74BAD738AB286C44EFF255FDB63342F14110DF902DD292CA229D429EB6

Function 00696747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00697D8B: inet_addr.WS2_32(00000000), ref: 00697DB6

socket.WS2_32(00000002,00000002,00000011), ref: 0069679E
WSAGetLastError.WS2_32(00000000), ref: 006967C7
bind.WS2_32(00000000,?,00000010), ref: 00696800
WSAGetLastError.WS2_32(00000000), ref: 0069680D
closesocket.WS2_32(00000000), ref: 00696821

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: a28e6d754a37a50409111d0ecfe43d4e86240e6beec038aee65eb287b52e8d0f
Instruction ID: bf53088007ccbb7b12e9cd5c36deef3fb27dd9cfaa337f4ffbafdfbd6c30f697
Opcode Fuzzy Hash: a28e6d754a37a50409111d0ecfe43d4e86240e6beec038aee65eb287b52e8d0f
Instruction Fuzzy Hash: 94410471A00620AFDB90BF64DC82F6E77AADF85714F04845CF905AB3C2CA74AD008BA5

Function 006A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006A53C5
IsWindowEnabled.USER32 ref: 006A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006A53E0
IsIconic.USER32 ref: 006A53EE
IsZoomed.USER32 ref: 006A53FC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8d111d8623f9844e3cdab36536d08a3b85ea91dd4e910d9bacc374c0e842bfba
Instruction ID: ae51b62b2a59e743e7c66cc1a0a470ff3d1baf3f1b343cacd100d1df4dfb431a
Opcode Fuzzy Hash: 8d111d8623f9844e3cdab36536d08a3b85ea91dd4e910d9bacc374c0e842bfba
Instruction Fuzzy Hash: 0111E6317009215FDB20BF269C44A5A7BDBEF867A1B004428F846D3241DB74EC018EA5

Function 006780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006780D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 006780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006780F6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction ID: 693a533e1b189f4335193aaed69cbcdbd547f92f25451012b6f6290cdb2b6bc0
Opcode Fuzzy Hash: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction Fuzzy Hash: 57F06231250205AFEB101FA5EC8DEA73BAEEF4A755B404025F949C7250CB61AC51DE61

Function 0069EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0069EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0069EE4B

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Process32NextW.KERNEL32(00000000,?), ref: 0069EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0069EF1A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: fded3e8f5e42064d8087eadd2d6110423d121a48dc4408423e969c90dd232067
Instruction ID: b97fc837f94d51839cb7af8b7dc567af98284886db40a3460e9365fd18e3bcaa
Opcode Fuzzy Hash: fded3e8f5e42064d8087eadd2d6110423d121a48dc4408423e969c90dd232067
Instruction Fuzzy Hash: D4519D71504711AFD760EF20DC81EABB7E9EF84710F40482DF495972A1EB30A908CB96

Function 006AC498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetCursorPos.USER32(?), ref: 006AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0065B9AB,?,?,?,?,?), ref: 006AC4E7
GetCursorPos.USER32(?), ref: 006AC534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0065B9AB,?,?,?), ref: 006AC56E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 963b8fe837a3880aaa7304535635ef8617bc4ebdb380dd62df07a25f873a8338
Instruction ID: c1b9f3ab19061e9d2ef5b60c6ed9d4f6a1ac3be79b15b3b12a1bc79f7676698c
Opcode Fuzzy Hash: 963b8fe837a3880aaa7304535635ef8617bc4ebdb380dd62df07a25f873a8338
Instruction Fuzzy Hash: 77316435900558EFCB159F58C854DEA7BB7EF0A320F444159F9058B361C7316D61DF94

Function 006785B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006785E2
OpenProcessToken.ADVAPI32(00000000), ref: 006785E9
CloseHandle.KERNEL32(00000004), ref: 00678603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678632

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction ID: 6faf70bbdd9a557b40bfa5e3aaf41a3b9616d1591da416bcf9bd1506a09c318f
Opcode Fuzzy Hash: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction Fuzzy Hash: 6D115C72540209AFDF019FE4ED49FDE7BAAEF49304F048064FE04A2160C7719E61DB61

Function 00621290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 006212D8
GetClientRect.USER32(?,?), ref: 0065B5FB
GetCursorPos.USER32(?), ref: 0065B605
ScreenToClient.USER32(?,?), ref: 0065B610

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 804f2d8f64e3d91cd661ae10e84bbb59f721d1aead2e720422563cb2dc371d18
Instruction ID: 2965535efb183e7c999a56ead333c13767287fc14209edb849e63819c14c6685
Opcode Fuzzy Hash: 804f2d8f64e3d91cd661ae10e84bbb59f721d1aead2e720422563cb2dc371d18
Instruction Fuzzy Hash: C6116D35905429EFCB10EFA4E8859EE77BAEB16300F000455F901EB241C730BA918FA9

Function 006922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0069180A,00000000), ref: 006923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00692418

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: c246d72c4b25583d4acc70b79037e28e74b9fbcf0098711baeddf3190c73d092
Instruction ID: 834ce1e1606ca1ce3eefd7eaae75ce4f809f3b569b2a10a01df4a4818d93de8c
Opcode Fuzzy Hash: c246d72c4b25583d4acc70b79037e28e74b9fbcf0098711baeddf3190c73d092
Instruction Fuzzy Hash: 3041F47190420AFFEF109E95DC91EFB77FEEB40724F10402EF601A7A41DA749E419A64

Function 0068B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0068B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0068B3EA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 0c8c221e0a97fd63c0a6044dd866f2c6dfbed8e653b3dbc49395588b08e8869c
Instruction ID: 3833add588da5c78f85cf63d6762cdcb7a7be24985f0665602ae664cd95440a1
Opcode Fuzzy Hash: 0c8c221e0a97fd63c0a6044dd866f2c6dfbed8e653b3dbc49395588b08e8869c
Instruction Fuzzy Hash: C5217135A00518EFCB40EFA5D881AEDBBB9FF49310F1481AAE905AB351CB31AD15CF55

Function 006787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678858
GetLastError.KERNEL32 ref: 00678865

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 147a119ff96790b77a68d8a51b1e8ab944c380eae6367dfdeba834b63c7e2223
Instruction ID: 0e23f590f1be0bffb7e5c1c468c98c0c3e29b1e6f0874d1d01a8f0e0d70c7873
Opcode Fuzzy Hash: 147a119ff96790b77a68d8a51b1e8ab944c380eae6367dfdeba834b63c7e2223
Instruction Fuzzy Hash: 891160B1814205AFE718EFA4DC89D6BB7BEEB45711B10852EE45997241DA30BC418B61

Function 0067874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00678774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0067878B
FreeSid.ADVAPI32(?), ref: 0067879B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction ID: bb3e5bea1fadbf6f54a43a76dad685fb08a76221dec83287593931da9d038ef2
Opcode Fuzzy Hash: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction Fuzzy Hash: 6EF0627595130CBFDF04DFF4DC99ABEB7BDEF08201F104469A501E2181E7716A448B51

Function 00684C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00684CB3

Strings

DOWN, xrefs: 00684C98

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 828314e25f05694378d3a9be8e98c36853be3e300bf3a5635d11cd2b81f5651c
Instruction ID: ee1292a4b23fbcfb49e19a7789321ee64de74d021163498b0183dba15f5004f9
Opcode Fuzzy Hash: 828314e25f05694378d3a9be8e98c36853be3e300bf3a5635d11cd2b81f5651c
Instruction Fuzzy Hash: 74E0867159D7233DBA443519BC03EF7074E8F123357620207F810E51C1DD516C8225AD

Function 006216DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetParent.USER32(?), ref: 0065B7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,006219B3,?,?,?,00000006,?), ref: 0065B834

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: a717e1de8e747c960177ab074904d4f174d2b1cf13a6cc1be8010d4e5ce72cde
Instruction ID: 92b3d01995891e90c903c49c553059f33ee3684b18bd92cc18af715ab8d81ec0
Opcode Fuzzy Hash: a717e1de8e747c960177ab074904d4f174d2b1cf13a6cc1be8010d4e5ce72cde
Instruction Fuzzy Hash: 9621D234205964AFCB209F28E884DE93B97AF9A320F545254F9265F3B1C7319D12DF50

Function 0068C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C6FB
FindClose.KERNEL32(00000000), ref: 0068C72B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d81f0684eaa7da961d0062bdd1e5a2f7f3701c72f29973704b21275a40e52698
Instruction ID: 8068ac7247e668a6181c6f30f4b11e9d4d91e5f980502d48ca1567f20c119147
Opcode Fuzzy Hash: d81f0684eaa7da961d0062bdd1e5a2f7f3701c72f29973704b21275a40e52698
Instruction Fuzzy Hash: 1411A1726006009FDB10EF29D845A6AF7EAFF85320F048A1DF8A9C7290DB34AC01CF95

Function 006AC57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0065B93A,?,?,?), ref: 006AC5F1

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 006AC5D7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 5ccce7a5a9620126dc0f9ba2eb6999e6c572082262af21b5cff88201826524ba
Instruction ID: 58a29a6b73c468cbc17f7c3ebd51b9bae721d16a390dbe44a3609781d7225496
Opcode Fuzzy Hash: 5ccce7a5a9620126dc0f9ba2eb6999e6c572082262af21b5cff88201826524ba
Instruction Fuzzy Hash: 56019E31200614EBCB25AF54DC94E6A3BA7FF86364F140128F9521B2A0CB72AC62DF91

Function 006AC93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006AC961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0065BA16,?,?,?,?,?), ref: 006AC98A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 078f2dd9f196292f5406a9819b3c0a029925fc606f8dd901ae0efca8d1aa581e
Instruction ID: f231702870b6ca7119959f30204b8dd114208f1e019034ac7e17e379cf29d141
Opcode Fuzzy Hash: 078f2dd9f196292f5406a9819b3c0a029925fc606f8dd901ae0efca8d1aa581e
Instruction Fuzzy Hash: F4F01772410218FFEB04AF85DC099AE7BBAFB49321F00416AF901A2161D3716A60EBA5

Function 0068A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00699468,?,006AFB84,?), ref: 0068A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00699468,?,006AFB84,?), ref: 0068A0A9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 19f84824898e9964ce11a25e310f8892f3b32a1ef4578ba5a3cbf8f79c549977
Instruction ID: f5ff519ee92c63b167c25aa6500bf4ef5dbc3eec0c7187a665eb4fe78ee0a4a0
Opcode Fuzzy Hash: 19f84824898e9964ce11a25e310f8892f3b32a1ef4578ba5a3cbf8f79c549977
Instruction Fuzzy Hash: B0F0E93510422DABDB10AFD4CC48FEA736EBF09361F004256FC04D6140C630A500CFE1

Function 006ACA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006ACA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0065B995,?,?,?,?), ref: 006ACAB2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: ecb75c2fe9998e5e058c89253ec280def36643b454bb1e0e9b0626c6df651d99
Instruction ID: e204feb31e097cd15de55e4cfb73939c6ab9e9e460f2d344daa7b49ebacd5d0c
Opcode Fuzzy Hash: ecb75c2fe9998e5e058c89253ec280def36643b454bb1e0e9b0626c6df651d99
Instruction Fuzzy Hash: E4E08670100218BFEB14AF19DC0AFBA3B55EB05761F408115F99AD91E1C771AC50DB60

Function 006781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678309), ref: 006781E0
CloseHandle.KERNEL32(?,?,00678309), ref: 006781F2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ae90cd7a0bb9be606ccd9090c21a7d530f1909547305b5064eb9660991a2a5bd
Instruction ID: 62815808077e595aa617472191200284d5214ba8792d51cd61b47b1295825711
Opcode Fuzzy Hash: ae90cd7a0bb9be606ccd9090c21a7d530f1909547305b5064eb9660991a2a5bd
Instruction Fuzzy Hash: AFE08C32010621AFFB212B61EC08DB3BBEBEF00310710882DF9A680430CB32ACA0DB10

Function 0064A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,006B4178,00648D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0064A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0064A163

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction ID: 5c85b47a9ca5b165b631710f4af02afe2340066ed290384afa5387285e4f0ed4
Opcode Fuzzy Hash: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction Fuzzy Hash: 6FB09231054208ABCF003BD1EC59B883F6AEB46AA2F405020F60D84060CFA264508ED2

Function 0064F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction ID: ddaef724272d092e47cd2b1426fe5def5c73f0ee84965b44d53b7c8008676c9f
Opcode Fuzzy Hash: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction Fuzzy Hash: 0D32E461D29F414DDB239A34D872336A24AAFB73C4F15E737E819B5EA6EB29C4C34100

Function 0065242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction ID: 280b5d0a0bf33eddfe433385776f787f10bdc3be5e72fefabc78cf23e0630212
Opcode Fuzzy Hash: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction Fuzzy Hash: 1EB1BA70E2AF414DD32396398831336BA9DAFBB2C5F51E71BFC2670922EB2185C34141

Function 00688889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0068889B

Part of subcall function 0064520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00688F6E,00000000,?,?,?,?,0068911F,00000000,?), ref: 00645213
Part of subcall function 0064520A: __aulldiv.LIBCMT ref: 00645233

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: cb349e4aa9173988cb6ace2780222855c3bb3f0f1af3f8c23a4bea9512741900
Instruction ID: de293552aa6530720e89f862100e18f30baac968aa5f1322bffb7d0ce4664a55
Opcode Fuzzy Hash: cb349e4aa9173988cb6ace2780222855c3bb3f0f1af3f8c23a4bea9512741900
Instruction Fuzzy Hash: F421A2726256108FC729CF25D881A92B3E2EBA5311B688F6CE1F5CF2C0CA74A905CB54

Function 006AD78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 006AD838

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9a629441da633a625b75160a6ab666d086b2694eb77a00b3639d3de5b25e4a97
Instruction ID: 59b3a4fae746e19ee19f220ea8b21cc4e3e6725743e9fff06ad18d5751b34186
Opcode Fuzzy Hash: 9a629441da633a625b75160a6ab666d086b2694eb77a00b3639d3de5b25e4a97
Instruction Fuzzy Hash: 4F113D34200255BBFB297E2CCC45FBA3B57D743B20F204318F5235AAD2CA649D019FA4

Function 006AD3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0065B952,?,?,?,?,00000000,?), ref: 006AD432

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5d5a81a960e45ccc0222bca2be06f1f2c90448f1b8401cd03096e233e4da6eb7
Instruction ID: 4d15f82e732dcfa26a5f004dbd5c0fec86aa79be2a3839f63a3d42d5362233b0
Opcode Fuzzy Hash: 5d5a81a960e45ccc0222bca2be06f1f2c90448f1b8401cd03096e233e4da6eb7
Instruction Fuzzy Hash: 4E01F531600514AFDF14AF25C849AEA3BD3EF5B365F444164F9075B691C330BC129FA0

Function 0062189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00621B04,?,?,?,?,?), ref: 006218E2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8d7845fdac8e41b847907ce699ad12fb034726b659ab48f27616518c21ee6778
Instruction ID: b042a278d2763d440de000b8863f5346c88c180ff1581d6d109e0a7449f74182
Opcode Fuzzy Hash: 8d7845fdac8e41b847907ce699ad12fb034726b659ab48f27616518c21ee6778
Instruction Fuzzy Hash: 0DF05E34600A69EFDF18DF15E8909663BA3EB55350F505129F9524F3E1C731D960EF50

Function 006AC8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 006AC8FE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 82d3d38e954069a6bfa093f5a720de8ce74144eab9a47e2bdc5005239a52a7de
Instruction ID: 394583d8d432c11db22e4bda1f8bb2cdd371257ab5a22668a2d2613cb9a26f6a
Opcode Fuzzy Hash: 82d3d38e954069a6bfa093f5a720de8ce74144eab9a47e2bdc5005239a52a7de
Instruction Fuzzy Hash: 11F03935201294ABDB21AF58DC45FC63B96AB0A320F044018BA22672E2CA706C20EBA0

Function 006787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00678389), ref: 006787D1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction ID: 47a9b81596f014605f68be65e8699609b4d55a97aa46cd00c40cc4b43bcce695
Opcode Fuzzy Hash: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction Fuzzy Hash: 73D05E322A050EABEF019FA4DC01EAE3B6AEB04B01F408111FE15C50A1C775E835AF60

Function 006AC909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0065B9BC,?,?,?,?,?,?), ref: 006AC934

Part of subcall function 006AB635: _memset.LIBCMT ref: 006AB644
Part of subcall function 006AB635: _memset.LIBCMT ref: 006AB653
Part of subcall function 006AB635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E6F20,006E6F64), ref: 006AB682
Part of subcall function 006AB635: CloseHandle.KERNEL32 ref: 006AB694

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: ee79a371b2c867caf37b144911ae4dbe3706c36c45558d5bc3ab0847ceb9181c
Instruction ID: 2495a3a52192385fa25288890b436dba59606745a29812bd9a959d360334c06e
Opcode Fuzzy Hash: ee79a371b2c867caf37b144911ae4dbe3706c36c45558d5bc3ab0847ceb9181c
Instruction Fuzzy Hash: 5BE04631110208EFCB01AF44DD54E8637B2FB1D314F018054FA061B2B2C731AC20EF50

Function 0062167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00621AEE,?,?,?), ref: 006216AB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: fd60461aad62051f3cd883bc76a81f4dbd0fb49f5f4f18ea1fb5a8340094586d
Instruction ID: 7407a6da2a96b2690b4b8a0e2011f90db4201e0ec80c07b3f9ffe752d28d7934
Opcode Fuzzy Hash: fd60461aad62051f3cd883bc76a81f4dbd0fb49f5f4f18ea1fb5a8340094586d
Instruction Fuzzy Hash: 38E0EC35500618FBCF55AF90DC61E653B27FB59314F508418FA560A2A1CA72A921EF54

Function 006AC860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 006AC885

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 652927c701c8d45328bae22d39d57cd98a16e7981a25a869ed5bcbaed9df272a
Instruction ID: b499c78d5b98f3e546ebb14422b6eda2c2d5a022dfc596d0dd00ca2b9dad553e
Opcode Fuzzy Hash: 652927c701c8d45328bae22d39d57cd98a16e7981a25a869ed5bcbaed9df272a
Instruction Fuzzy Hash: 95E0E235200248EFCB01EF88D884E863BA6AB1D300F004054FA154B262C771A820EBA2

Function 006AC88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 006AC8B4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 47d302e6e11e244d262289e86fb31b79ce59a4d5b9edd97bb4dfe39c7dff653d
Instruction ID: b04fe3c7eca2b8974784aa9f5c15f8891e4f4b6d10ebd285a667765d2b5118ed
Opcode Fuzzy Hash: 47d302e6e11e244d262289e86fb31b79ce59a4d5b9edd97bb4dfe39c7dff653d
Instruction Fuzzy Hash: C5E0E235200248EFCB01EF88D984D863BA6AB1D300F004054FA154B262C771A820EBA2

Function 006216B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

Part of subcall function 0062201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006220D3
Part of subcall function 0062201B: KillTimer.USER32(-00000001,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0062216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00621AE2,?,?), ref: 006216D4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: a1ad52b37c3f3183b79d7fb223b70ca8ccd04d660b3b13f33dd7404c27c1ad85
Instruction ID: 79d2b5770a5c2dbbe52ac8e7f6cb6f9e8225fc1ffe91671f7f944c76c8b8ccd2
Opcode Fuzzy Hash: a1ad52b37c3f3183b79d7fb223b70ca8ccd04d660b3b13f33dd7404c27c1ad85
Instruction Fuzzy Hash: F0D01231140718B7DF603FA1EC27F493E1B9B14750F408024BA05291D3CAB16860AD9D

Function 0064A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0064A12A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction ID: e300dd6a5b13f515c8a84b0e758eabf73ea11fd834e5986c6950148cfd82a771
Opcode Fuzzy Hash: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC2

Function 00638808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd5a254887f47057ee6968f5f078f7e442e2c11c01491fab1cb9dd57a0ba2fb
Instruction ID: 246951586eaf2439ca79f15fb6dcb923c755483534b6ea7ad904e759a5e572b6
Opcode Fuzzy Hash: dcd5a254887f47057ee6968f5f078f7e442e2c11c01491fab1cb9dd57a0ba2fb
Instruction Fuzzy Hash: AA220530904746CFDF288A28C4947FC77A3BF41344F6884ABF55B8B692DBB59D92C681

Function 006421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: ae4fe0fd873fa7a884c89b321d7d76871539e4cf40f3127c22826bfb6e533cae
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 69C187722051930ADF2D4639C4741BEFBA25EA37B136A176DE4B3CF2D4EE10C965D620

Function 006425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a168225eb0bd01bc25da4bf21ab147a38efa5dc0616a686ab970245bca2b674d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 5DC196722051930ADF2D463AC4340BEFAA25FA37F136A176DE4B2DF2D4EE10C965D620

Function 00641978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e12f5ce5b683bbb4b119713cd0ba5f0fb807521bcd671b2aff8a29280af4d232
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 59C193726451930ADF2D4639C4741BEBBA29EA37B131A176DD4B3CF2C4FE20C9A5D620

Function 006A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006AF910), ref: 006A3627
IsWindowVisible.USER32(?), ref: 006A364B

Strings

CHECK, xrefs: 006A386D
GETCURRENTLINE, xrefs: 006A38ED
HIDEDROPDOWN, xrefs: 006A3700
UNCHECK, xrefs: 006A3883
ISCHECKED, xrefs: 006A3839
SHOWDROPDOWN, xrefs: 006A36E0
GETLINE, xrefs: 006A399B
ADDSTRING, xrefs: 006A3716
GETSELECTED, xrefs: 006A38A3
SENDCOMMANDID, xrefs: 006A39DA
ISVISIBLE, xrefs: 006A3637
EDITPASTE, xrefs: 006A395F
CURRENTTAB, xrefs: 006A36BD
SELECTSTRING, xrefs: 006A3806
DELSTRING, xrefs: 006A3749
SETCURRENTSELECTION, xrefs: 006A37B6
GETCURRENTCOL, xrefs: 006A3928
TABRIGHT, xrefs: 006A369D
GETCURRENTSELECTION, xrefs: 006A37E3
GETLINECOUNT, xrefs: 006A38C6
FINDSTRING, xrefs: 006A3776
ISENABLED, xrefs: 006A366B
TABLEFT, xrefs: 006A3687

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 85768dfed861528fa7e46164a6fce3f091a39b0e04ad4a7a4463b88238f6a10c
Instruction ID: cf38481ca74d5c298a172d8afb5864186752dbbb5a2fdb960d52075956ebd6e7
Opcode Fuzzy Hash: 85768dfed861528fa7e46164a6fce3f091a39b0e04ad4a7a4463b88238f6a10c
Instruction Fuzzy Hash: 2CD16E302043219BDB44FF10C455AAE7BA3AF96344F14485DF98A5B3A2DB31EE4ACF95

Function 006AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006AA630
GetSysColorBrush.USER32(0000000F), ref: 006AA661
GetSysColor.USER32(0000000F), ref: 006AA66D
SetBkColor.GDI32(?,000000FF), ref: 006AA687
SelectObject.GDI32(?,00000000), ref: 006AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 006AA6C1
GetSysColor.USER32(00000010), ref: 006AA6C9
CreateSolidBrush.GDI32(00000000), ref: 006AA6D0
FrameRect.USER32(?,?,00000000), ref: 006AA6DF
DeleteObject.GDI32(00000000), ref: 006AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 006AA731
FillRect.USER32(?,?,00000000), ref: 006AA763
GetWindowLongW.USER32(?,000000F0), ref: 006AA78E

Part of subcall function 006AA8CA: GetSysColor.USER32(00000012), ref: 006AA903
Part of subcall function 006AA8CA: SetTextColor.GDI32(?,?), ref: 006AA907
Part of subcall function 006AA8CA: GetSysColorBrush.USER32(0000000F), ref: 006AA91D
Part of subcall function 006AA8CA: GetSysColor.USER32(0000000F), ref: 006AA928
Part of subcall function 006AA8CA: GetSysColor.USER32(00000011), ref: 006AA945
Part of subcall function 006AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AA953
Part of subcall function 006AA8CA: SelectObject.GDI32(?,00000000), ref: 006AA964
Part of subcall function 006AA8CA: SetBkColor.GDI32(?,00000000), ref: 006AA96D
Part of subcall function 006AA8CA: SelectObject.GDI32(?,?), ref: 006AA97A
Part of subcall function 006AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 006AA999
Part of subcall function 006AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AA9B0
Part of subcall function 006AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 006AA9C5
Part of subcall function 006AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AA9ED

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 6cc656e380c322c5ce6ed964c8fb3f64005d1194c9e3488f5db92b677c18892e
Instruction ID: f23764b3cf9f5517e087d6828e1e62b892ca5e54a83281f393cf51e02c95bcd7
Opcode Fuzzy Hash: 6cc656e380c322c5ce6ed964c8fb3f64005d1194c9e3488f5db92b677c18892e
Instruction Fuzzy Hash: 96917071408301FFD710AFA4DC08A5BBBAAFF4A321F105B2AF5A2961A1D771E945CF52

Function 006974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0069759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00697633
GetClientRect.USER32(00000000,?), ref: 0069763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00697683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00697692
GetStockObject.GDI32(00000011), ref: 006976A2
SelectObject.GDI32(00000000,00000000), ref: 006976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006976BF
DeleteDC.GDI32(00000000), ref: 006976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0069770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00697746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0069775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0069776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0069779B
GetStockObject.GDI32(00000011), ref: 006977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006977BB

Strings

AutoIt v3, xrefs: 0069762B
msctls_progress32, xrefs: 0069773C
static, xrefs: 0069767D, 00697795
DISPLAY, xrefs: 00697688

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d9d2202784551c2700cf9879784b7dc2b14c7722de05fe44007b40021f69cbbb
Instruction ID: c9a29dde4e20d629e8c93f17b6935313d32397c465764cbe87f317a7e2ef30de
Opcode Fuzzy Hash: d9d2202784551c2700cf9879784b7dc2b14c7722de05fe44007b40021f69cbbb
Instruction Fuzzy Hash: F4A15E71A40615BFEB14DBA4DC4AFAE7BBAEB49715F004118FA15AB2E0D670AD00CF64

Function 0068AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AD1E
GetDriveTypeW.KERNEL32(?,006AFAC0,?,\\.\,006AF910), ref: 0068ADFB
SetErrorMode.KERNEL32(00000000,006AFAC0,?,\\.\,006AF910), ref: 0068AF59

Strings

SSA, xrefs: 0068AEE2
RAMDisk, xrefs: 0068AE25
SSD, xrefs: 0068AE86
ATA, xrefs: 0068AED4
USB, xrefs: 0068AEF0
Unknown, xrefs: 0068AE1B, 0068AEBF
Fibre, xrefs: 0068AEE9
PhysicalDrive, xrefs: 0068ADA7
Fixed, xrefs: 0068AE43
iSCSI, xrefs: 0068AEFE
SATA, xrefs: 0068AF0C
Network, xrefs: 0068AE39
RAID, xrefs: 0068AEF7
Virtual, xrefs: 0068AF21
FileBackedVirtual, xrefs: 0068AF28
SAS, xrefs: 0068AF05
CDROM, xrefs: 0068AE2F
\\.\, xrefs: 0068AD70
SCSI, xrefs: 0068AEC6
MMC, xrefs: 0068AF1A
1394, xrefs: 0068AEDB
Removable, xrefs: 0068AE4D
ATAPI, xrefs: 0068AECD

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 28e069199b19bd327a497b1ab05e1271caa51e7355ea114bca08df72f6012684
Instruction ID: 4db30f8118a08d0094832abfb2da2c5d59eabc5e11e2e202d721480d656a9c91
Opcode Fuzzy Hash: 28e069199b19bd327a497b1ab05e1271caa51e7355ea114bca08df72f6012684
Instruction Fuzzy Hash: AC51B1B0A44605AF9B50FF90C986CBD73A3EB4C700B25465BED07AB391DA719D02EB53

Function 006268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00626931
__wcsnicmp.LIBCMT ref: 00626949
__wcsnicmp.LIBCMT ref: 00626961
__wcsnicmp.LIBCMT ref: 00626979
__wcsnicmp.LIBCMT ref: 00626991
__wcsnicmp.LIBCMT ref: 006269A9
__wcsnicmp.LIBCMT ref: 006269C1
__wcsnicmp.LIBCMT ref: 006269D5
__wcsnicmp.LIBCMT ref: 00626A16
__wcsnicmp.LIBCMT ref: 00626A2A
__wcsnicmp.LIBCMT ref: 00626A3E
__wcsnicmp.LIBCMT ref: 00626A52

Strings

#ce, xrefs: 00626A4C
#pragma compile, xrefs: 0062692B
Cannot parse #include, xrefs: 0065E3F0
Bad directive syntax error, xrefs: 0065E31A
#include, xrefs: 006269A3
#OnAutoItStartRegister, xrefs: 00626973
Unterminated group of comments, xrefs: 0065E403
#comments-end, xrefs: 00626A38
#requireadmin, xrefs: 0062695B
#notrayicon, xrefs: 00626943
#cs, xrefs: 006269CF, 00626A24
#include-once, xrefs: 0062698B
#comments-start, xrefs: 006269BB, 00626A10

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 08b1aa2625d1a6efc55c9e6a6febd50354914c3a6ee504c26edfce7136687495
Instruction ID: a1a99d8907e0e2c795ef42a2b2a0b331e7e6c08474aeb5acbd5337d3d8825167
Opcode Fuzzy Hash: 08b1aa2625d1a6efc55c9e6a6febd50354914c3a6ee504c26edfce7136687495
Instruction Fuzzy Hash: F8812CB16006266ACF25AB60EC43FEF37ABAF05700F044029FD456A295EB71DE45CB59

Function 00622C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00622CA2
DeleteObject.GDI32(00000000), ref: 00622CE8
DeleteObject.GDI32(00000000), ref: 00622CF3
DestroyCursor.USER32(00000000), ref: 00622CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00622D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0065C43B
6FED0200.COMCTL32(?,000000FF,?), ref: 0065C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0065C89D

Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A

SendMessageW.USER32(?,00001053), ref: 0065C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0065C8F1

Strings

0, xrefs: 0065C731

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorD0200InvalidateMoveRect
String ID: 0
API String ID: 2824886279-4108050209
Opcode ID: 0af14fe5b89de22c4e220ef6346588f988ba117c69f611f9ebc73b01961d1db4
Instruction ID: fb8bed1d88634db4297004e43f6ab22a95e9bd1314a3a468b9bf00a63cf0fdcf
Opcode Fuzzy Hash: 0af14fe5b89de22c4e220ef6346588f988ba117c69f611f9ebc73b01961d1db4
Instruction Fuzzy Hash: C812AC30604612EFDB60DF24D894BA9BBE2FF49322F544569F885CB262C731E856CF91

Function 006A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 006A9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006A9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 006A9BA7

Strings

0, xrefs: 006A9BE4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ad3c80bef6cd1fc1443d10adb9f2aa286e5ed8d25cf833ead0ab95365cfd1d0f
Instruction ID: 96d2f2fff966246f0c7f69a904baba3af1d35f6a0dff38798cb673e10814b9ac
Opcode Fuzzy Hash: ad3c80bef6cd1fc1443d10adb9f2aa286e5ed8d25cf833ead0ab95365cfd1d0f
Instruction Fuzzy Hash: C602AE30104341AFDB25EF24C849BAABBE6FF86314F24852DF995962A1C735DD44CF62

Function 006AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006AA903
SetTextColor.GDI32(?,?), ref: 006AA907
GetSysColorBrush.USER32(0000000F), ref: 006AA91D
GetSysColor.USER32(0000000F), ref: 006AA928
CreateSolidBrush.GDI32(?), ref: 006AA92D
GetSysColor.USER32(00000011), ref: 006AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AA953
SelectObject.GDI32(?,00000000), ref: 006AA964
SetBkColor.GDI32(?,00000000), ref: 006AA96D
SelectObject.GDI32(?,?), ref: 006AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 006AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 006AAA32
DrawFocusRect.USER32(?,?), ref: 006AAA3D
GetSysColor.USER32(00000011), ref: 006AAA4B
SetTextColor.GDI32(?,00000000), ref: 006AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006AAA67
SelectObject.GDI32(?,006AA5FA), ref: 006AAA7E
DeleteObject.GDI32(?), ref: 006AAA89
SelectObject.GDI32(?,?), ref: 006AAA8F
DeleteObject.GDI32(?), ref: 006AAA94
SetTextColor.GDI32(?,?), ref: 006AAA9A
SetBkColor.GDI32(?,?), ref: 006AAAA4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0907692202046dd1dc28801e1f1a640f5e056b1efda78c74af4184dd3f417108
Instruction ID: 82c39e945a2e36da0e430cd83a483ea1c1611188acd0a36be5fb7a28302ffec8
Opcode Fuzzy Hash: 0907692202046dd1dc28801e1f1a640f5e056b1efda78c74af4184dd3f417108
Instruction Fuzzy Hash: 87513071900208EFDB11AFE4DC48EAEBB7AEF0A320F115265F911AB2A1D771AD40DF51

Function 006A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8AD2
CharNextW.USER32(0000014E), ref: 006A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006A8B86
SetWindowTextW.USER32(?,0000014E), ref: 006A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A8C1F
_memset.LIBCMT ref: 006A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006A8C8D
_memset.LIBCMT ref: 006A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 006A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 006A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 006A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 006A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A8EB4
DrawMenuBar.USER32(?), ref: 006A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 006A8EEB

Strings

0, xrefs: 006A8E55

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 994c747bac118b3d255b8a78d7c60ea40f27f2e3f7d3db3152144938dad8506c
Instruction ID: 467aed74efcb81603170aa39083589a08d23795f61f3b1a023fc8b08d03a4088
Opcode Fuzzy Hash: 994c747bac118b3d255b8a78d7c60ea40f27f2e3f7d3db3152144938dad8506c
Instruction Fuzzy Hash: 70E16170900219AFDF20AF50CC84EEE7BBAEF06750F14815AFA15AB291DB749D81DF61

Function 006A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006A49CA
GetDesktopWindow.USER32 ref: 006A49DF
GetWindowRect.USER32(00000000), ref: 006A49E6
GetWindowLongW.USER32(?,000000F0), ref: 006A4A48
DestroyWindow.USER32(?), ref: 006A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 006A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006A4B09
IsWindowVisible.USER32(?), ref: 006A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006A4B58
GetWindowRect.USER32(?,?), ref: 006A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 006A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 006A4BB0
CopyRect.USER32(?,?), ref: 006A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 006A4C32

Strings

(, xrefs: 006A4BA3
0, xrefs: 006A4975
tooltips_class32, xrefs: 006A4A96

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 615a86b8947bd169e05cbb9585476da8ad9a93e4f1b46e9333fb1388070903cc
Instruction ID: 3e5981633b71534fafc84400f3196eeb5678792d2c89a9280e43ce9aa9886be9
Opcode Fuzzy Hash: 615a86b8947bd169e05cbb9585476da8ad9a93e4f1b46e9333fb1388070903cc
Instruction Fuzzy Hash: 80B17A71604350AFDB44EF64D844B5ABBE6AF86310F00891CF5999B291DBB1EC05CFA6

Function 006227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228BC
GetSystemMetrics.USER32(00000007), ref: 006228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228EF
GetSystemMetrics.USER32(00000008), ref: 006228F7
GetSystemMetrics.USER32(00000004), ref: 0062291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00622939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00622949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0062297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00622990
GetClientRect.USER32(00000000,000000FF), ref: 006229AE
GetStockObject.GDI32(00000011), ref: 006229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006229D5

Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
Part of subcall function 00622344: ScreenToClient.USER32(006E57B0,?), ref: 00622374
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7

SetTimer.USER32(00000000,00000000,00000028,00621256), ref: 006229FC

Strings

AutoIt v3 GUI, xrefs: 00622974

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 702659e60c6d0e6e1163c9a96cb552a917261430febc9f80b5211f3a1f97bb53
Instruction ID: 590a511960ab54f338e589d5112535577d7c7214f7ae2098cc69c920a5a418cb
Opcode Fuzzy Hash: 702659e60c6d0e6e1163c9a96cb552a917261430febc9f80b5211f3a1f97bb53
Instruction Fuzzy Hash: ECB1AF70A0061AEFDB14DFA8DC95BEE7BB6FB08315F104229FA15A6290DB74E841CF51

Function 0068449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00684500
_wcscmp.LIBCMT ref: 0068450B
_wcscat.LIBCMT ref: 00684521
_wcsstr.LIBCMT ref: 0068452C
754B1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00684548
_wcscat.LIBCMT ref: 00684591
_wcscat.LIBCMT ref: 00684598
_wcsncpy.LIBCMT ref: 006845C3

Strings

DefaultLangCodepage, xrefs: 006845AB
StringFileInfo\, xrefs: 0068451B
04090000, xrefs: 0068457E
\VarFileInfo\Translation, xrefs: 00684540
%u.%u.%u.%u, xrefs: 00684626

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcscat$B1560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2719676056-1459072770
Opcode ID: c21d3dea26869bcc86206d3b715861764676cd30b83b720719ea74ae0aef8a49
Instruction ID: b942395c2ad7e58e33ca2b7e296a39ad085c2c524f0398975c6e36914ae205ba
Opcode Fuzzy Hash: c21d3dea26869bcc86206d3b715861764676cd30b83b720719ea74ae0aef8a49
Instruction Fuzzy Hash: CB41C871A002127BD750BBB49C47EFF776EDF42710F14015EF905E6282EE34AA1196AA

Function 0067A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0067A47A
__swprintf.LIBCMT ref: 0067A51B
_wcscmp.LIBCMT ref: 0067A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0067A583
_wcscmp.LIBCMT ref: 0067A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0067A5F6
GetDlgCtrlID.USER32(?), ref: 0067A648
GetWindowRect.USER32(?,?), ref: 0067A67E
GetParent.USER32(?), ref: 0067A69C
ScreenToClient.USER32(00000000), ref: 0067A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0067A71D
_wcscmp.LIBCMT ref: 0067A731
GetWindowTextW.USER32(?,?,00000400), ref: 0067A757
_wcscmp.LIBCMT ref: 0067A76B

Part of subcall function 0064362C: _iswctype.LIBCMT ref: 00643634

Strings

%s%u, xrefs: 0067A515

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: c829d50d162c5e99689d8cc48f57bee033de0f1cb0242909e3f4a3438401afc3
Instruction ID: 736e51a0c3d46a723319f2688f21a15df9113ceff062f71192e7921f35966dba
Opcode Fuzzy Hash: c829d50d162c5e99689d8cc48f57bee033de0f1cb0242909e3f4a3438401afc3
Instruction Fuzzy Hash: DDA1B135204606AFD718DFA4C884BEEB7EAFF84315F108629F99DC2250DB30E955CB92

Function 0067AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0067AF18
_wcscmp.LIBCMT ref: 0067AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0067AF51
CharUpperBuffW.USER32(?,00000000), ref: 0067AF6E
_wcscmp.LIBCMT ref: 0067AF8C
_wcsstr.LIBCMT ref: 0067AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0067AFD5
_wcscmp.LIBCMT ref: 0067AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0067B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0067B055
_wcscmp.LIBCMT ref: 0067B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0067B08D
GetWindowRect.USER32(00000004,?), ref: 0067B0F6

Strings

ThumbnailClass, xrefs: 0067AFE0, 0067B060
@, xrefs: 0067AEF9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f492b69807b88be62c639e3551987a9bd682f89db052b200741167c2351b5a90
Instruction ID: 587292414dd408f8e6abcb13479b9e83f000fe3276d5c1e29c0000624f851170
Opcode Fuzzy Hash: f492b69807b88be62c639e3551987a9bd682f89db052b200741167c2351b5a90
Instruction Fuzzy Hash: 2E81C1711082059FDB04DF50C885FAA7BEAEF84314F04D56EFD898A291DB34DD49CBA2

Function 0067ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067AC33

Strings

[HANDLE:, xrefs: 0067AC3F
ACTIVE, xrefs: 0067AC0E
[ALL, xrefs: 0067ACD9
[ACTIVE, xrefs: 0067AC20
[REGEXPTITLE:, xrefs: 0067AC5B
REGEXP=, xrefs: 0067AC48
HANDLE=, xrefs: 0067AC2C
CLASSNAME=, xrefs: 0067AC70
LAST, xrefs: 0067ABF8
[LAST, xrefs: 0067ACE0
ALL, xrefs: 0067ACC7
[CLASS:, xrefs: 0067AC83

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 789453d58d50d2a63ba5486fbe089486eb540db246d91314d79f7659beca95c4
Instruction ID: b8eb79911bcb4fc8b30f58fd03983a035db9049cddc0ac396f083d5a3713db03
Opcode Fuzzy Hash: 789453d58d50d2a63ba5486fbe089486eb540db246d91314d79f7659beca95c4
Instruction Fuzzy Hash: 1231C230E4861ABADB51EAA0EE03EEE7767AF10711F64401EF446712D1FF616F048A5B

Function 00694FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00695013
LoadCursorW.USER32(00000000,00007F00), ref: 0069501E
LoadCursorW.USER32(00000000,00007F03), ref: 00695029
LoadCursorW.USER32(00000000,00007F8B), ref: 00695034
LoadCursorW.USER32(00000000,00007F01), ref: 0069503F
LoadCursorW.USER32(00000000,00007F81), ref: 0069504A
LoadCursorW.USER32(00000000,00007F88), ref: 00695055
LoadCursorW.USER32(00000000,00007F80), ref: 00695060
LoadCursorW.USER32(00000000,00007F86), ref: 0069506B
LoadCursorW.USER32(00000000,00007F83), ref: 00695076
LoadCursorW.USER32(00000000,00007F85), ref: 00695081
LoadCursorW.USER32(00000000,00007F82), ref: 0069508C
LoadCursorW.USER32(00000000,00007F84), ref: 00695097
LoadCursorW.USER32(00000000,00007F04), ref: 006950A2
LoadCursorW.USER32(00000000,00007F02), ref: 006950AD
LoadCursorW.USER32(00000000,00007F89), ref: 006950B8
GetCursorInfo.USER32(?), ref: 006950C8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 123d73b30e2dfb84740e9ae5d5ecc1682688afc3009f0edd99706921e7ec4b68
Instruction ID: 9e77c4981d1d2e7a8766420fca91069e2585806cd4457d0134129019d9793961
Opcode Fuzzy Hash: 123d73b30e2dfb84740e9ae5d5ecc1682688afc3009f0edd99706921e7ec4b68
Instruction Fuzzy Hash: F93113B1D083196ADF109FB68C899AFBFEDFF04750F50452AE50DE7280DA78A5008FA5

Function 006AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AA259
DestroyWindow.USER32(?,?), ref: 006AA2D3

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA382
DestroyWindow.USER32(00000000), ref: 006AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA3F4
GetDesktopWindow.USER32 ref: 006AA40D
GetWindowRect.USER32(00000000), ref: 006AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006AA444

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

Strings

tooltips_class32, xrefs: 006AA346, 006AA3D4
0, xrefs: 006AA26F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 252e7da23da4eb17efdec5ed45587fdd1d2dd752a3c81323a2aef13c992a41ba
Instruction ID: cbde0a53cb5bad473d8672a7d9e1def299255aca30b6f6cc9c1d90014aad3a6e
Opcode Fuzzy Hash: 252e7da23da4eb17efdec5ed45587fdd1d2dd752a3c81323a2aef13c992a41ba
Instruction Fuzzy Hash: F1716A71140645AFDB21EF68CC49FAA7BE6FB8A304F04451EF9858B2A0D771AD02CF52

Function 006A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A446F

Strings

CHECK, xrefs: 006A448F
UNCHECK, xrefs: 006A464B
ISCHECKED, xrefs: 006A45F2
EXISTS, xrefs: 006A44D8
COLLAPSE, xrefs: 006A44B5
GETITEMCOUNT, xrefs: 006A4551
GETTOTALCOUNT, xrefs: 006A4456
GETSELECTED, xrefs: 006A457F
EXPAND, xrefs: 006A4521
GETTEXT, xrefs: 006A45C2
SELECT, xrefs: 006A4620

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 0423507548b83d02c4eebc2b9576851b1f8f94a26b2500e20873cffb35725fc4
Instruction ID: ad2b2b4c83dad935e1147d3a21508e080d9aa25108ee7fbece67d86b75ec822f
Opcode Fuzzy Hash: 0423507548b83d02c4eebc2b9576851b1f8f94a26b2500e20873cffb35725fc4
Instruction Fuzzy Hash: 28917C306047119BCB44EF20C851A6EB7E3AF96350F04886DF8965B3A2CB75ED46CF95

Function 006AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006A91C2), ref: 006AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006AB9C3
FreeLibrary.KERNEL32(?), ref: 006AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006AB9DF
DestroyCursor.USER32(?), ref: 006AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006ABA17

Part of subcall function 00642EFD: __wcsicmp_l.LIBCMT ref: 00642F86

Strings

.icl, xrefs: 006AB82A
.exe, xrefs: 006AB84A
.dll, xrefs: 006AB86D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 13f7e06ad66ba0b63e9042d21ad89b06336ed236af735019cc10e7b81e44ac65
Instruction ID: 96d4688c03105df44174f29a27a2118ea263f7b3178f29a615799dfb0c644545
Opcode Fuzzy Hash: 13f7e06ad66ba0b63e9042d21ad89b06336ed236af735019cc10e7b81e44ac65
Instruction Fuzzy Hash: 8761FC71900219BAEB14EF64DC41BFF7BAAEF0A710F10451AF915D62C2DB74AD80DBA0

Function 0068A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CharLowerBuffW.USER32(?,?), ref: 0068A3CB
GetDriveTypeW.KERNEL32 ref: 0068A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A4C5

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Strings

type cdaudio alias cd wait, xrefs: 0068A443
close, xrefs: 0068A3D1
closed, xrefs: 0068A3DF, 0068A3E8
close cd wait, xrefs: 0068A4B0
wait, xrefs: 0068A482
open , xrefs: 0068A427
set cd door , xrefs: 0068A466
open, xrefs: 0068A3F2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 3200b5a4f9910bdc55083206ef061406769f6ed77955458cb6a810d08c0200df
Instruction ID: ca2e52b2382ea7c0b8f2084b0051ce745cbdf01ae73a012d57599b934b4ccfb0
Opcode Fuzzy Hash: 3200b5a4f9910bdc55083206ef061406769f6ed77955458cb6a810d08c0200df
Instruction Fuzzy Hash: 21518C715047149FC740EF20D891C6AB3E6EF84318F14892EF88A572A1DB31ED0ACF96

Function 0067F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0065E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0067F8DF
LoadStringW.USER32(00000000,?,0065E029,00000001), ref: 0067F8E8

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0065E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0067F90A
LoadStringW.USER32(00000000,?,0065E029,00000001), ref: 0067F90D
__swprintf.LIBCMT ref: 0067F95D
__swprintf.LIBCMT ref: 0067F96E
_wprintf.LIBCMT ref: 0067FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0067FA2E

Strings

Error: , xrefs: 0067F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0067FA12
^ ERROR, xrefs: 0067F9C3
Line %d (File "%s"):, xrefs: 0067F957
Line %d:, xrefs: 0067F968

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5422e776f427978bb01344422135467e9f563f97e4ff3ed67c7f8c5505ab029f
Instruction ID: 36068979dbe96b69a8e2347436465ad363ccc9faee2a390d9d7a0c344bb3a4cb
Opcode Fuzzy Hash: 5422e776f427978bb01344422135467e9f563f97e4ff3ed67c7f8c5505ab029f
Instruction Fuzzy Hash: 7F416F7290062DAACF54FFE0ED86DEEB77AAF14300F100469B50976192EA316F49CF65

Function 006ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006A9207,?,?), ref: 006ABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA85
GlobalLock.KERNEL32(00000000), ref: 006ABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA9D
GlobalUnlock.KERNEL32(00000000), ref: 006ABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABAAD
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006ABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,006B2CAC,?), ref: 006ABAD7
GlobalFree.KERNEL32(00000000), ref: 006ABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 006ABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 006ABB36
DeleteObject.GDI32(00000000), ref: 006ABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006ABB74

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cd32321ce98bf225478041ab512c730687367a370a5969aabee280a20d61b4bc
Instruction ID: 6c24c911cd725fad8fc8634f755f3adef72146649ca5edef759830f61f5ecf23
Opcode Fuzzy Hash: cd32321ce98bf225478041ab512c730687367a370a5969aabee280a20d61b4bc
Instruction Fuzzy Hash: 44412B75600204EFDB11AFA5DC48EAA7BBAFF8A711F105068F905D7261D730AE41CF61

Function 00626A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00640957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00626B0C,?,00008000), ref: 00640973

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00626CFA

Part of subcall function 0062586D: _wcscpy.LIBCMT ref: 006258A5

Part of subcall function 0064363D: _iswctype.LIBCMT ref: 00643645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0065E421
EA06, xrefs: 0065E452
Unterminated string, xrefs: 0065E7E4
Error opening the file, xrefs: 0065E43D, 0065E4B8
AU3!, xrefs: 00626B61
Bad directive syntax error, xrefs: 0065E79D
/vb, xrefs: 0065E4ED, 0065E511
>>>AUTOIT SCRIPT<<<, xrefs: 0065E496

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$/vb$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3773326070
Opcode ID: 13338f3a5eecaf17cfa01596d81b0d00c4d883825231b1a28c4f7f1abe9574a4
Instruction ID: c7e37350dcd77ad0c2b054e7fc50afe3f9b34362e046f0390d219547f019c2e0
Opcode Fuzzy Hash: 13338f3a5eecaf17cfa01596d81b0d00c4d883825231b1a28c4f7f1abe9574a4
Instruction Fuzzy Hash: 2402BD305087519FCB64EF20D8819AFBBE6AF99314F10481DF88A972A1DB31DA49CF56

Function 0068D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0068DA10
_wcscat.LIBCMT ref: 0068DA28
_wcscat.LIBCMT ref: 0068DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0068DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DA63
GetFileAttributesW.KERNEL32(?), ref: 0068DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0068DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DAA7

Strings

*.*, xrefs: 0068DAE6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 48091559385ec63d39db6eb1b6ed10b98011b736902c81e95d3bdcbe25158373
Instruction ID: dcd698efd014e09f63c77ca62c99a2f6fd678bd5bbae366254323a86c08e0516
Opcode Fuzzy Hash: 48091559385ec63d39db6eb1b6ed10b98011b736902c81e95d3bdcbe25158373
Instruction Fuzzy Hash: A68182715043419FCB64FF64C844AAAB7EABF89310F184A2EF889D7391E630DD45CB62

Function 0069731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0069738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0069739B
CreateCompatibleDC.GDI32(?), ref: 006973A7
SelectObject.GDI32(00000000,?), ref: 006973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00697408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00697444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00697468
SelectObject.GDI32(00000006,?), ref: 00697470
DeleteObject.GDI32(?), ref: 00697479
DeleteDC.GDI32(00000006), ref: 00697480
ReleaseDC.USER32(00000000,?), ref: 0069748B

Strings

(, xrefs: 00697410

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a0b564acceb00519262471efdda06f258a10ac935ba378d5d96b3ca7cb7c3675
Instruction ID: c7de040d1af855c3ede17a797a1fc1f40ba8ee7a9d3d9f34175309c2b6e5dbd3
Opcode Fuzzy Hash: a0b564acceb00519262471efdda06f258a10ac935ba378d5d96b3ca7cb7c3675
Instruction Fuzzy Hash: 0A514875904209EFCB14DFA8CC84EAEBBBAEF49710F14842EF99997211C731A9418B50

Function 00682D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00682DDD
GetMenuItemCount.USER32(006E5890), ref: 00682E66
DeleteMenu.USER32(006E5890,00000005,00000000,000000F5,?,?), ref: 00682EF6
DeleteMenu.USER32(006E5890,00000004,00000000), ref: 00682EFE
DeleteMenu.USER32(006E5890,00000006,00000000), ref: 00682F06
DeleteMenu.USER32(006E5890,00000003,00000000), ref: 00682F0E
GetMenuItemCount.USER32(006E5890), ref: 00682F16
SetMenuItemInfoW.USER32(006E5890,00000004,00000000,00000030), ref: 00682F4C
GetCursorPos.USER32(?), ref: 00682F56
SetForegroundWindow.USER32(00000000), ref: 00682F5F
TrackPopupMenuEx.USER32(006E5890,00000000,?,00000000,00000000,00000000), ref: 00682F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00682F7E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: aa15c8293cf5bbfe8ec8c8eda86f1ee6ec7eeb7619048c2c37da970e277652cf
Instruction ID: 150ae6225c746aaf34ca88c60dfb7983d6d18c7ea5e77f9b47f32b163036dcda
Opcode Fuzzy Hash: aa15c8293cf5bbfe8ec8c8eda86f1ee6ec7eeb7619048c2c37da970e277652cf
Instruction Fuzzy Hash: A571D470640207BAEB21AF54DCA9FEABF66FF05314F100316F615AA2E1C7B16C50DB99

Function 006A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 006A0EEE
HKCR, xrefs: 006A0ED9
HKLM, xrefs: 006A0EAF
HKCU, xrefs: 006A0F21
HKEY_USERS, xrefs: 006A0F32
HKEY_LOCAL_MACHINE, xrefs: 006A0E9A
HKCC, xrefs: 006A0EFF
HKU, xrefs: 006A0F43
HKEY_CLASSES_ROOT, xrefs: 006A0EC4
HKEY_CURRENT_USER, xrefs: 006A0F10

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 0e2340c2ebee8c10c9fcad06ca1103eebbe82f6dc83c36adc8c752f677d329ac
Instruction ID: 3cfa66d699c26fef9c5b231e9d6e7de37830377c6977015877a15b404c22a6e1
Opcode Fuzzy Hash: 0e2340c2ebee8c10c9fcad06ca1103eebbe82f6dc83c36adc8c752f677d329ac
Instruction Fuzzy Hash: EE415B3154025A8FEF60EF10E865AEE37A6BF12344F144469FC552B392DB30AD5ACFA0

Function 0067F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0065E2A0,00000010,?,Bad directive syntax error,006AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0067F7C2
LoadStringW.USER32(00000000,?,0065E2A0,00000010), ref: 0067F7C9

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

_wprintf.LIBCMT ref: 0067F7FC
__swprintf.LIBCMT ref: 0067F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0067F88D

Strings

Error: , xrefs: 0067F85B
., xrefs: 0067F873
Line %d (File "%s"):, xrefs: 0067F833
Line %d:, xrefs: 0067F818
%s (%d) : ==> %s.: %s %s, xrefs: 0067F7F7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 08430187ad4d65840d4eb4d92cd6f166c2f36cc5f32a1ec0422565e1824671eb
Instruction ID: c5f5eb9d02cd97bca2fc74e0b833cfcb1e3b1ef787bab9532909492c4392353f
Opcode Fuzzy Hash: 08430187ad4d65840d4eb4d92cd6f166c2f36cc5f32a1ec0422565e1824671eb
Instruction Fuzzy Hash: 7921713294022EEFCF51EF90DC4AEEE773ABF14300F04486AF515661A2DA71A618DF55

Function 006852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Part of subcall function 00627924: _memmove.LIBCMT ref: 006279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00685330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00685346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00685357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00685369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068537A

Strings

play PlayMe wait, xrefs: 00685364
play PlayMe, xrefs: 00685375
alias PlayMe, xrefs: 00685309
status PlayMe mode, xrefs: 0068532B
close PlayMe, xrefs: 00685341, 0068536E
open , xrefs: 006852DF

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 404a6488579a8929136cd54039671b25aaa301b1ba969e27a237f2f59cd431c6
Instruction ID: 9972bb2c13aae457afd13074b868a088861d100792c6111bd96dcb509b9a66a7
Opcode Fuzzy Hash: 404a6488579a8929136cd54039671b25aaa301b1ba969e27a237f2f59cd431c6
Instruction Fuzzy Hash: 8911B230E506697ED760BB71DC4ADFF7B7EEB92B40F00042AB402A31D1EEA05D45CAA1

Function 006846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 006846D2
gethostname.WS2_32(?,00000100), ref: 006846EC
gethostbyname.WS2_32(?), ref: 006846F9
_wcscpy.LIBCMT ref: 00684721
_memmove.LIBCMT ref: 00684734
inet_ntoa.WS2_32(?), ref: 0068473F
_strcat.LIBCMT ref: 0068474D
_wcscpy.LIBCMT ref: 00684764
WSACleanup.WS2_32 ref: 00684772
_wcscpy.LIBCMT ref: 00684780

Strings

0.0.0.0, xrefs: 0068471B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8aeee9c457643a7a2191714c6bab42010db1bb3a0493b4a7d297a7c94a42b4f4
Instruction ID: 5ad640c265b9f1f02a3ed46c13a25cdc1ef3e0abc52d3620817330a629ce9725
Opcode Fuzzy Hash: 8aeee9c457643a7a2191714c6bab42010db1bb3a0493b4a7d297a7c94a42b4f4
Instruction Fuzzy Hash: 011127319041156FDB60BB709C4AEDA7BBEEF02711F0002BAF44592191EF75DD818B65

Function 00684F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00684F7A

Part of subcall function 0064049F: timeGetTime.WINMM(?,7707B400,00630E7B), ref: 006404A3

Sleep.KERNEL32(0000000A), ref: 00684FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00684FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00684FEC
SetActiveWindow.USER32 ref: 0068500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00685019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00685038
Sleep.KERNEL32(000000FA), ref: 00685043
IsWindow.USER32 ref: 0068504F
EndDialog.USER32(00000000), ref: 00685060

Strings

BUTTON, xrefs: 00684FDE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 720e610d5b6849ee562a6b425b3ec1afa4e3845336fdc4144ba23195327e4ef3
Instruction ID: 7e945b1b4e869473023c755d8bcbee4af2f45cffe6fcde85ad967e2fc1bf6aca
Opcode Fuzzy Hash: 720e610d5b6849ee562a6b425b3ec1afa4e3845336fdc4144ba23195327e4ef3
Instruction Fuzzy Hash: BD21A170600B45AFE7107FA0ECC8A363BABEB56785F043128F203862B1DB719D448B72

Function 0068D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CoInitialize.OLE32(00000000), ref: 0068D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0068D67D
SHGetDesktopFolder.SHELL32(?), ref: 0068D691
CoCreateInstance.COMBASE(006B2D7C,00000000,00000001,006D8C1C,?), ref: 0068D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0068D74C
CoTaskMemFree.COMBASE(?), ref: 0068D7A4
_memset.LIBCMT ref: 0068D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0068D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0068D840
CoTaskMemFree.COMBASE(00000000), ref: 0068D847
CoTaskMemFree.COMBASE(00000000), ref: 0068D87E
CoUninitialize.COMBASE ref: 0068D880

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 89354ad71734d4f9d4a5d5ba6abd3ccc9b75a6be40f554eb26ab3f520582710b
Instruction ID: b273a5723015ef181279785f5a25d7156c3d44903568cb13b33055d1c82ec9c0
Opcode Fuzzy Hash: 89354ad71734d4f9d4a5d5ba6abd3ccc9b75a6be40f554eb26ab3f520582710b
Instruction Fuzzy Hash: B4B1EA75A00119AFDB44EFA4C884DAEBBBAEF49304F148569F909DB261DB30ED41CF64

Function 0067C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0067C283
GetWindowRect.USER32(00000000,?), ref: 0067C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0067C2F3
GetDlgItem.USER32(?,00000002), ref: 0067C2FE
GetWindowRect.USER32(00000000,?), ref: 0067C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0067C364
GetDlgItem.USER32(?,000003E9), ref: 0067C372
GetWindowRect.USER32(00000000,?), ref: 0067C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0067C3C6
GetDlgItem.USER32(?,000003EA), ref: 0067C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0067C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0067C3FE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction ID: cd36b4940e1b8b84924e22b55f9020370e0be730167491cf798929c4012e1b40
Opcode Fuzzy Hash: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction Fuzzy Hash: DA515371B00205AFDB18DFA9DD89AAEBBB6EB88310F14912DF519D7290D770AD008B50

Function 006221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetSysColor.USER32(0000000F), ref: 006221D3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ceab3ac49bb85bc2fef76228d4e27bbe1fa717d92442b9d36c6cf5a02c4782e0
Instruction ID: d35278b640ae4bfc5cdc6c136c73bae9bbfd5e43311411e407253da7bc022b89
Opcode Fuzzy Hash: ceab3ac49bb85bc2fef76228d4e27bbe1fa717d92442b9d36c6cf5a02c4782e0
Instruction Fuzzy Hash: B141D330001951EADB215F68EC98BF93B67EB06321F185365FD619A2E1C7328D42DF22

Function 0068A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,006AF910), ref: 0068A90B
GetDriveTypeW.KERNEL32(00000061,006D89A0,00000061), ref: 0068A9D5
_wcscpy.LIBCMT ref: 0068A9FF

Strings

removable, xrefs: 0068A93D
fixed, xrefs: 0068A953
cdrom, xrefs: 0068A927
unknown, xrefs: 0068A996
network, xrefs: 0068A969
ramdisk, xrefs: 0068A97F
all, xrefs: 0068A911

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: aec259042491dbb3fe544774c8e276a180535567f17680ce86134158e5b310a7
Instruction ID: 82ffaa612b5bd6365bb139e6b5c3f5ac19c8239976f43b993c43b3d932adb8f0
Opcode Fuzzy Hash: aec259042491dbb3fe544774c8e276a180535567f17680ce86134158e5b310a7
Instruction Fuzzy Hash: F751CD315183109FD744EF54D892AAFB7A7EF84300F044A2EF99A572A2DB319D09CB93

Function 00629837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00629862
__swprintf.LIBCMT ref: 006298AC
__i64tow.LIBCMT ref: 0065F5E6

Strings

True, xrefs: 0065F5A7
0x%p, xrefs: 0065F5C8
False, xrefs: 0065F5AE
%.15g, xrefs: 006298A6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 05079829bb9b71e5ac1a11686b3c4d97164f78ef7d96f9d1f04c6177eb02a129
Instruction ID: ec2d3ee8d9e9db08f0595ac22ce3074371f79180252978312f6b2f92011602f8
Opcode Fuzzy Hash: 05079829bb9b71e5ac1a11686b3c4d97164f78ef7d96f9d1f04c6177eb02a129
Instruction Fuzzy Hash: 4441C571910616AFEB24DF34D842EB673EBEF45300F24486EE949D7391EA359946CF20

Function 00636192 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00636248
_memmove.LIBCMT ref: 006362E4
_memset.LIBCMT ref: 00636308

Strings

failed to get memory, xrefs: 00636326
internal error: opcode not recognized, xrefs: 0063631B
ERCP, xrefs: 006361B3
argument is not a compiled regular expression, xrefs: 00670D87
3cc, xrefs: 006362AF
internal error: missing capturing bracket, xrefs: 00670D7F
argument not compiled in 16 bit mode, xrefs: 00670D77

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cc$ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-1936413669
Opcode ID: 40a103be3ed751635c26c15f3828014f46d541d223a576534822d13b7ba8ca76
Instruction ID: a74c725209ed03ad5e1eab7930c08fbdfabb8c9c69343932bd3cb2379e752b4d
Opcode Fuzzy Hash: 40a103be3ed751635c26c15f3828014f46d541d223a576534822d13b7ba8ca76
Instruction Fuzzy Hash: 33518071900705EBEB24CF65C941BEBBBF6EF44314F20856EE54ACB291E770AA45CB90

Function 006A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A716A
CreateMenu.USER32 ref: 006A7185
SetMenu.USER32(?,00000000), ref: 006A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7221
IsMenu.USER32(?), ref: 006A7237
CreatePopupMenu.USER32 ref: 006A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A726E
DrawMenuBar.USER32 ref: 006A7276

Strings

F, xrefs: 006A7262
0, xrefs: 006A7160

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 91771cd0c8c5a7ce24cfcd719832591fee47092c57ba941ed2fe500b231dab8b
Instruction ID: 4b5131fb6c5546fe0de241194f281812ff23c07c613db0ce5918dbcb5b12aac7
Opcode Fuzzy Hash: 91771cd0c8c5a7ce24cfcd719832591fee47092c57ba941ed2fe500b231dab8b
Instruction Fuzzy Hash: 21411575A01205EFDB20EFA4D994B9ABBB6FF4A310F144429F945A7361D731AE10CF90

Function 006A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006A755E
CreateCompatibleDC.GDI32(00000000), ref: 006A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006A7578
SelectObject.GDI32(00000000,00000000), ref: 006A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 006A758B
DeleteDC.GDI32(00000000), ref: 006A7594
GetWindowLongW.USER32(?,000000EC), ref: 006A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006A75BE

Strings

static, xrefs: 006A74F6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 175d9fa82c6edb8d88bf5b5833b21516defacf5447159e13a74ed0d9080bcc84
Instruction ID: ce87678a555655f07cde1d411f97b7811d2062bfc4739c756d7e2e14109761fc
Opcode Fuzzy Hash: 175d9fa82c6edb8d88bf5b5833b21516defacf5447159e13a74ed0d9080bcc84
Instruction Fuzzy Hash: 47316C32504214ABDF11AFA4DC08FDB3B6AFF0A321F111224FA55961A1CB71EC21DFA5

Function 00646E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00646E3E

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

__gmtime64_s.LIBCMT ref: 00646ED7
__gmtime64_s.LIBCMT ref: 00646F0D
__gmtime64_s.LIBCMT ref: 00646F2A
__allrem.LIBCMT ref: 00646F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00646F9C
__allrem.LIBCMT ref: 00646FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00646FD1
__allrem.LIBCMT ref: 00646FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00647006
__invoke_watson.LIBCMT ref: 00647077

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: bfa711a2150de4091795e1908dea4f9a69ff641278542b61e014016f9af2f8b0
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 337126B2A00717ABD714AE68CC41BEAB3FAAF01764F10422DF814D7381EB70DD448795

Function 00682527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682542
GetMenuItemInfoW.USER32(006E5890,000000FF,00000000,00000030), ref: 006825A3
SetMenuItemInfoW.USER32(006E5890,00000004,00000000,00000030), ref: 006825D9
Sleep.KERNEL32(000001F4), ref: 006825EB
GetMenuItemCount.USER32(?), ref: 0068262F
GetMenuItemID.USER32(?,00000000), ref: 0068264B
GetMenuItemID.USER32(?,-00000001), ref: 00682675
GetMenuItemID.USER32(?,?), ref: 006826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00682700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682735

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 773e31ac7f78f0718ba2ca02aa6ea1390ff91b9cba661fa507833f0f063935c9
Instruction ID: af6228cfa680c0e52f1803589714a1592c5caed2658c0d80391e660a8214fa88
Opcode Fuzzy Hash: 773e31ac7f78f0718ba2ca02aa6ea1390ff91b9cba661fa507833f0f063935c9
Instruction Fuzzy Hash: 5D61A47090024AAFDF21EFA4DCA8DFE7BBAFB05304F140259E942A7251D731AD45DB21

Function 006A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 006A6FCC
_memset.LIBCMT ref: 006A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006A7067

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 676b2b933e2a256fcb397dfc9315924badc36763ef38f57475199aabea6365cb
Instruction ID: 3e7405195817a9da0c1c3dd70b899fcb8aedf7d29877f868785f5b2154b1ea26
Opcode Fuzzy Hash: 676b2b933e2a256fcb397dfc9315924badc36763ef38f57475199aabea6365cb
Instruction Fuzzy Hash: 55617B75900248AFDB10EFA4CC81EEE77FAAB0A714F144159FA15AB3A1C771AD41DF90

Function 00676B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00676BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00676C18
VariantInit.OLEAUT32(?), ref: 00676C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00676C4A
VariantCopy.OLEAUT32(?,?), ref: 00676C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00676CB1
VariantClear.OLEAUT32(?), ref: 00676CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00676CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00676CDC
VariantClear.OLEAUT32(?), ref: 00676CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00676CF9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bd7f75f515ea74c8c10b9c6dd0b1014358d2e89d738162be5b66fab0533a5a96
Instruction ID: 2eadf5aaa533cd9589a98d5a12133cc9df570e7d0842fc0feca28d076d75c4ea
Opcode Fuzzy Hash: bd7f75f515ea74c8c10b9c6dd0b1014358d2e89d738162be5b66fab0533a5a96
Instruction Fuzzy Hash: 59417F31A006199FCF00EFA8D8449EEBBBAEF48350F00C069F955E7261DB31A945CFA1

Function 00699113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00699167
VariantInit.OLEAUT32(?), ref: 00699238
VariantInit.OLEAUT32(?), ref: 00699339
VariantClear.OLEAUT32(?), ref: 00699343
VariantClear.OLEAUT32(?), ref: 006993A0

Strings

get__NewEnum, xrefs: 0069913F
Null Object assignment in FOR..IN loop, xrefs: 006991C8, 006992F6, 006993AE
Incorrect Object type in FOR..IN loop, xrefs: 0069931C
_NewEnum, xrefs: 00699121

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 07616fed6d1585f2be7395def03bbd7d675bcc2c4166c45a622a59dfba787c9d
Instruction ID: c3e3d00d15a8aa567c068cc263cbca8397fabbeaa0981c6446f3f887d7966d35
Opcode Fuzzy Hash: 07616fed6d1585f2be7395def03bbd7d675bcc2c4166c45a622a59dfba787c9d
Instruction Fuzzy Hash: 4F91AE71A00219ABDF24DFA9C848FEEBBBAEF45710F10811DF505AB280D7709941CFA0

Function 00695732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00695793
inet_addr.WS2_32(?), ref: 006957D8
gethostbyname.WS2_32(?), ref: 006957E4
IcmpCreateFile.IPHLPAPI ref: 006957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00695862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00695878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006958ED
WSACleanup.WS2_32 ref: 006958F3

Strings

Ping, xrefs: 00695816

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2a72fc8b25ee198c43adeb348746a85521580d10e9da0ea8e590a3372d83d960
Instruction ID: 02634bed6591eac2f52174f2f19f362eab242e0e94a9586ccb917a9253f3b214
Opcode Fuzzy Hash: 2a72fc8b25ee198c43adeb348746a85521580d10e9da0ea8e590a3372d83d960
Instruction Fuzzy Hash: 3951BE31600A109FDB21EF64DD45B6AB7EAEF49320F048929F956DB2A1DB30EC00CF46

Function 0068B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0068B546
GetLastError.KERNEL32 ref: 0068B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0068B5BD

Strings

READY, xrefs: 0068B596
UNKNOWN, xrefs: 0068B575
NOTREADY, xrefs: 0068B57C
INVALID, xrefs: 0068B58F
READONLY, xrefs: 0068B588

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0a1dd6ebd71aa887d703f1966acc5172980834840d7f49405df56deea1f9b666
Instruction ID: 93466a28d2d7bccba3079869e5dc8e652b1415a55e34af1fe26052738de29ebb
Opcode Fuzzy Hash: 0a1dd6ebd71aa887d703f1966acc5172980834840d7f49405df56deea1f9b666
Instruction Fuzzy Hash: BB31A135A002059FCB10FFA8D885EEE77B6FF49300F10422AF50597391DB71AA42CB92

Function 00678F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00679014
GetDlgCtrlID.USER32 ref: 0067901F
GetParent.USER32 ref: 0067903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0067903E
GetDlgCtrlID.USER32(?), ref: 00679047
GetParent.USER32(?), ref: 00679063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00679066

Strings

ComboBox, xrefs: 00678F9C
ListBox, xrefs: 00678FD1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 386a31848cc7986812fdbbc23417d2c202a684fb2d4f4185001cb6fb31973540
Instruction ID: 26d00c56b2cc711196a06a87e53bc2573b6079c269ce68be6dea1dde81378c22
Opcode Fuzzy Hash: 386a31848cc7986812fdbbc23417d2c202a684fb2d4f4185001cb6fb31973540
Instruction Fuzzy Hash: D821D370A00108BBDF14ABA0CC85EFEBBBAEF4A310F10412AF925972A1DB755815DF21

Function 0067907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006790FD
GetDlgCtrlID.USER32 ref: 00679108
GetParent.USER32 ref: 00679124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00679127
GetDlgCtrlID.USER32(?), ref: 00679130
GetParent.USER32(?), ref: 0067914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0067914F

Strings

ComboBox, xrefs: 00679087
ListBox, xrefs: 006790BC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2167df0c8e2ca39410bf86188153d561e47e9729739e5b45a5259b0bfc41b08e
Instruction ID: ca6b9d09216071b813592eb0b3464016b7e546780f75bf2eea5758720eff0158
Opcode Fuzzy Hash: 2167df0c8e2ca39410bf86188153d561e47e9729739e5b45a5259b0bfc41b08e
Instruction Fuzzy Hash: C521F574E00108BBDF10ABA0CC85EFEBBBAEF46300F00401AB915972A1DB755855DF21

Function 00679163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0067916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00679184
_wcscmp.LIBCMT ref: 00679196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00679211

Strings

details, xrefs: 006791BF
SHELLDLL_DefView, xrefs: 00679190
list, xrefs: 006791F3
largeicons, xrefs: 006791A5
smallicons, xrefs: 006791D9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2bc031f2cd2db317da17d4fd3c75e988e8b0b9326a192087b0e6bae644179b06
Instruction ID: b41050292504c4650d9c79f6a49ef2caa2286e5997c77b491ea10d39f40fa6be
Opcode Fuzzy Hash: 2bc031f2cd2db317da17d4fd3c75e988e8b0b9326a192087b0e6bae644179b06
Instruction Fuzzy Hash: 7A115C37698307BAFB103624EC27DE737DF9B16320B304027F914E42D2FE62A92159A5

Function 006988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006988D7
CoInitialize.OLE32(00000000), ref: 00698904
CoUninitialize.COMBASE ref: 0069890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00698A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00698B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,006B2C0C), ref: 00698B6F
CoGetObject.OLE32(?,00000000,006B2C0C,?), ref: 00698B92
SetErrorMode.KERNEL32(00000000), ref: 00698BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00698C25
VariantClear.OLEAUT32(?), ref: 00698C35

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 807be859679c2da8ce4786eba60efa7dc777ce5f9c74b391c2710383846edaf4
Instruction ID: 473a515a705aca1102ef690c155d33b0ed20ea45e44c115751c9e745249268e0
Opcode Fuzzy Hash: 807be859679c2da8ce4786eba60efa7dc777ce5f9c74b391c2710383846edaf4
Instruction Fuzzy Hash: FCC139B12043059FDB40EF64C88496BB7EAFF8A348F04491DF58A9B251DB71ED06CB52

Function 00687990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00687A6C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 56babfdee1d465397a8adf3ae9eeae9a2ca351d0fca4745ca2a456d2c863c86d
Instruction ID: f612d4c9f2baa06bd3ba8fe0f8c7dfa19ffd47aa79319e0da94e817cf6d011cd
Opcode Fuzzy Hash: 56babfdee1d465397a8adf3ae9eeae9a2ca351d0fca4745ca2a456d2c863c86d
Instruction Fuzzy Hash: 2CB1BD7190421A9FDB00EFA4C885BBEBBF6FF49321F244169EA01E7241D734E941CBA5

Function 006811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00680268,?,00000001), ref: 00681204
GetWindowThreadProcessId.USER32(00000000), ref: 0068120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 0068121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0068122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 00681245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 00681257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 0068129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 006812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 006812BC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8f22aeb2d75270cabb6768b2dc3dd3bb082e7b0477c458e2ee5b8a55078b0ebf
Instruction ID: 7ca1d9bbf2bfb55a74aec640b8aef9240dc7115be4f71741d80460b1299135a6
Opcode Fuzzy Hash: 8f22aeb2d75270cabb6768b2dc3dd3bb082e7b0477c458e2ee5b8a55078b0ebf
Instruction Fuzzy Hash: 58319175600304FBDB60AF94EC98FA977AFEB66351F105215F904CE2A0E7B4AE818F51

Function 0062FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0062FAA6
OleUninitialize.OLE32(?,00000000), ref: 0062FB45
UnregisterHotKey.USER32(?), ref: 0062FC9C
DestroyWindow.USER32(?), ref: 006645D6
FreeLibrary.KERNEL32(?), ref: 0066463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00664668

Strings

close all, xrefs: 0062FAA1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 4440decce031fed3c8528af2789cfb022fba2f52166273137bda07bbe2086584
Instruction ID: 8495651a29e04c506cb1d836880bd7362c8393ff07d3f73e0a17f750b0c73577
Opcode Fuzzy Hash: 4440decce031fed3c8528af2789cfb022fba2f52166273137bda07bbe2086584
Instruction Fuzzy Hash: AFA16D30701622CFDB69EF14D995AA9F766AF05700F5442BDE80AAB261CF30AD16CF94

Function 0067A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0067A439), ref: 0067A377

Strings

CLASS, xrefs: 0067A0F6
NAME, xrefs: 0067A1A9
CLASSNN, xrefs: 0067A119
INSTANCE, xrefs: 0067A285
TEXT, xrefs: 0067A2AE
REGEXPCLASS, xrefs: 0067A13C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 19c522ee39f65ba5104b55dfe69e81ba834a5c6f5557191556609c132e13430d
Instruction ID: c7fc1a343e85d65dedc67d6e329588802d033904036ec7956b12c5702195818d
Opcode Fuzzy Hash: 19c522ee39f65ba5104b55dfe69e81ba834a5c6f5557191556609c132e13430d
Instruction Fuzzy Hash: D0910231A00616AADB48DFE0C441BEDFBB7BF44310F54C11DE85EA7252DB306A99CB95

Function 00622E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00622EAE

Part of subcall function 00621DB3: GetClientRect.USER32(?,?), ref: 00621DDC
Part of subcall function 00621DB3: GetWindowRect.USER32(?,?), ref: 00621E1D
Part of subcall function 00621DB3: ScreenToClient.USER32(?,?), ref: 00621E45

GetDC.USER32 ref: 0065CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0065CD45
SelectObject.GDI32(00000000,00000000), ref: 0065CD53
SelectObject.GDI32(00000000,00000000), ref: 0065CD68
ReleaseDC.USER32(?,00000000), ref: 0065CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0065CDFB

Strings

U, xrefs: 0065CCD0

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4b4dd73ecf39930a519d32860d30aca72ce7d40189712024fbfa15b7d25dff2a
Instruction ID: a93f4bc99ea33218d924d8bfe53a1fa4929832c23f5dec1c5268534604dabc34
Opcode Fuzzy Hash: 4b4dd73ecf39930a519d32860d30aca72ce7d40189712024fbfa15b7d25dff2a
Instruction Fuzzy Hash: 6571CF31400306EFCF219F64C890AEA7BB7FF49325F14426AED969A2A6C7319C45DF60

Function 006A6D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 006A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006A6E52
_wcscat.LIBCMT ref: 006A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 006A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006A6EF2

Strings

SysListView32, xrefs: 006A6DF6
-----, xrefs: 006A6EA5

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$SysListView32
API String ID: 307300125-3975388722
Opcode ID: d81740ab616d07bd99efcb187bbb3e9ab3e19fe1eaaffbf54fd2e608cfd6eaee
Instruction ID: 65a78faf496ae13392382e2eef105475052beb1dcc2c056c8827287849cabe7f
Opcode Fuzzy Hash: d81740ab616d07bd99efcb187bbb3e9ab3e19fe1eaaffbf54fd2e608cfd6eaee
Instruction Fuzzy Hash: 7D419070A00349AFEF21AFA4CC85BEA77EAEF09350F14042AF585E7291D6719D848F64

Function 00691A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00691A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00691A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00691ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00691AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00691AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00691B10
InternetCloseHandle.WININET(00000000), ref: 00691B57

Part of subcall function 00692483: GetLastError.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 00692498
Part of subcall function 00692483: SetEvent.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 006924AD

Strings

, xrefs: 00691B01

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 4de799f51bcc016311ab42c433a489ebc9b11bb697f2c3b59e7a788cee283d01
Instruction ID: 4ea57015fbf4c4421d65550b5756560164c041dcb99d8b6c0d2f4eb5e113bc7d
Opcode Fuzzy Hash: 4de799f51bcc016311ab42c433a489ebc9b11bb697f2c3b59e7a788cee283d01
Instruction Fuzzy Hash: 1A4191B150121ABFEF119F50CC85FFA77AEEF0A350F10412AF9059A241E770DE418BA5

Function 00698C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006AF910), ref: 00698D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006AF910), ref: 00698D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00698ED6
SysFreeString.OLEAUT32(?), ref: 00698F00

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e0988cacfd54e86b6efba6de4c7038d2c177d6bf1a29a59d720c7d8f6cdaea72
Instruction ID: af00e96fd8ddc1ee8e36e0f69ab7fd50894942f35594bfcf00f425611ff07a80
Opcode Fuzzy Hash: e0988cacfd54e86b6efba6de4c7038d2c177d6bf1a29a59d720c7d8f6cdaea72
Instruction Fuzzy Hash: 5EF1F871A00219AFDF14DF94C884EEEB7BAFF49314F108498F915AB251DB31AE46CB61

Function 0069F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0069FA7C
CloseHandle.KERNEL32(?), ref: 0069FAAB
CloseHandle.KERNEL32(?), ref: 0069FB22

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 72d76724ed06fd87adbd7da691a06df4e0562bbaa4899675e035bd0f8f9fb488
Instruction ID: 1eac02ea195460dbf10ae0444e805345b16b20f1d388b002b4c8c3e465ae89fd
Opcode Fuzzy Hash: 72d76724ed06fd87adbd7da691a06df4e0562bbaa4899675e035bd0f8f9fb488
Instruction Fuzzy Hash: 15E1B0316043019FCB54EF24D891BAABBE6AF85314F19896DF8998B3A1CB31DC41CF56

Function 0062201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006220D3
KillTimer.USER32(-00000001,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0062216E
DestroyAcceleratorTable.USER32(00000000), ref: 0065BCA6
DeleteObject.GDI32(00000000), ref: 0065BD1C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: c249716bb2c4f96eeb7781608fe31ffa5bdd2b76f1c5abb3429ea64cdfe6dba9
Instruction ID: 40e0a9c1373689fc4da8f0d9b98314e0e713aa84ef52cdb4d222f7c5847fe77f
Opcode Fuzzy Hash: c249716bb2c4f96eeb7781608fe31ffa5bdd2b76f1c5abb3429ea64cdfe6dba9
Instruction Fuzzy Hash: 5C618D31100B61EFCB25AF14E9A8B66B7F3FF41316F106528E9824A670C771A895DF91

Function 00684CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00683697,?), ref: 0068468B

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00683697,?), ref: 006846A4

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

lstrcmpiW.KERNEL32(?,?), ref: 00684D40
_wcscmp.LIBCMT ref: 00684D5A
MoveFileW.KERNEL32(?,?), ref: 00684D75

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 901b03b0014760651327339da643b404e61c38d3a9c808b8f7bd09c5560d01ca
Instruction ID: f6e2b6874fb23bde898edc479da29f06f4bcbb81088daf9945489319ebe0e7b3
Opcode Fuzzy Hash: 901b03b0014760651327339da643b404e61c38d3a9c808b8f7bd09c5560d01ca
Instruction Fuzzy Hash: 1C5187B24083859BC764EBA0D881DDFB3EDAF85310F500A2EF685D3151EF74A588CB5A

Function 006A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006A86FF

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: eed12c18a21aa8588fbf3e532bf1eff6abfd44d04ec7f35cb7c6e6e25b42604c
Instruction ID: a1faca57113cd3f97a0d717f3d21765ea5ef8c8edd7fca362705341e8a0ee480
Opcode Fuzzy Hash: eed12c18a21aa8588fbf3e532bf1eff6abfd44d04ec7f35cb7c6e6e25b42604c
Instruction Fuzzy Hash: 67517B30500254BEEB24BB289C85FAD7BA7AB06320F601125F951E72A1CF76EE808E55

Function 00622B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0065C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0065C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0065C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0065C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0065C370
DestroyCursor.USER32(00000000), ref: 0065C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0065C39C
DestroyCursor.USER32(?), ref: 0065C3AB

Part of subcall function 006AA4AF: DeleteObject.GDI32(00000000), ref: 006AA4E8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 2e097d0e7dbf30a0673d0f44a7c273de4610f65dcd7d47717623f47a85e94488
Instruction ID: d71381f5483d9819dcc2dea353b26732c86c2dc0cf07c25f0f25514785ef602d
Opcode Fuzzy Hash: 2e097d0e7dbf30a0673d0f44a7c273de4610f65dcd7d47717623f47a85e94488
Instruction Fuzzy Hash: 69516A70A0071AAFDB20DF64DC55FAA3BA6EB09326F104528F902972A0DB70ED91DF50

Function 0067966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A84C
Part of subcall function 0067A82C: GetCurrentThreadId.KERNEL32 ref: 0067A853
Part of subcall function 0067A82C: AttachThreadInput.USER32(00000000,?,00679683,?,00000001), ref: 0067A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0067968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006796FB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e981f5e43a7dcf7e82743690ff60cff511a8ddb32bacf0f534beae29329aa034
Instruction ID: 3cb106413be801f00b4312ad8b1d919fd7d863c7ab0b6f87d6454ceca986b2b5
Opcode Fuzzy Hash: e981f5e43a7dcf7e82743690ff60cff511a8ddb32bacf0f534beae29329aa034
Instruction Fuzzy Hash: F911E571910618BEF7106FA0DC89F6A3B1EEB4D750F102429F244AB0E0C9F26C11DEA9

Function 00678921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 0067892A
RtlAllocateHeap.NTDLL(00000000), ref: 00678931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00678946
GetCurrentProcess.KERNEL32(?,00000000), ref: 0067894E
DuplicateHandle.KERNEL32(00000000), ref: 00678951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00678961
GetCurrentProcess.KERNEL32(?,00000000), ref: 00678969
DuplicateHandle.KERNEL32(00000000), ref: 0067896C
CreateThread.KERNEL32(00000000,00000000,00678992,00000000,00000000,00000000), ref: 00678986

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: c2156b1f92b0f8bfaee2774497119548efec9120d9ab7721abceb1ef40d12b6a
Instruction ID: c313141eab276b7832f91a906c1ed67f2edbd01856eecead618dd4cb0ee5c89d
Opcode Fuzzy Hash: c2156b1f92b0f8bfaee2774497119548efec9120d9ab7721abceb1ef40d12b6a
Instruction Fuzzy Hash: 2C01A8B5240308FFE760ABA5DC4DF6B3BADEB89711F419421FA05DB1A1DA70AC008E21

Function 00699B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00699BA4, 00699EC8
Not an Object type, xrefs: 00699B7B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: c83057277cb25ff294649216ae763c7c7f44b2ca9780121024cc8265cf9eaaa8
Instruction ID: 0b6ec4045dcc875dff60abea84fb2b234c6ee714e91b5a1d8f14807f0d405c14
Opcode Fuzzy Hash: c83057277cb25ff294649216ae763c7c7f44b2ca9780121024cc8265cf9eaaa8
Instruction Fuzzy Hash: 89C18171A0021A9BDF14DF98D884AEEB7FAFF48314F14846DE905A7781E770AD45CBA0

Function 0069975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0067710A: CLSIDFromProgID.COMBASE ref: 00677127
Part of subcall function 0067710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00677142
Part of subcall function 0067710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677150
Part of subcall function 0067710A: CoTaskMemFree.COMBASE(00000000), ref: 00677160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00699806
_memset.LIBCMT ref: 00699813
_memset.LIBCMT ref: 00699956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00699982
CoTaskMemFree.COMBASE(?), ref: 0069998D

Strings

NULL Pointer assignment, xrefs: 006999DB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: bb977c76fd307b3b08e89c413aea5af7364822b32fef1ff5d85def68b2e312e9
Instruction ID: a96b61598baa10f2f198459ba3a648733516b036362180e6f4cbded304f2869b
Opcode Fuzzy Hash: bb977c76fd307b3b08e89c413aea5af7364822b32fef1ff5d85def68b2e312e9
Instruction Fuzzy Hash: 22911671D00229ABDF10DFA5DC45EDEBBBAAF09310F20415AF519A7291DB71AA44CFA0

Function 0069E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00683C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00683C7A
Part of subcall function 00683C55: Process32FirstW.KERNEL32(00000000,?), ref: 00683C88
Part of subcall function 00683C55: CloseHandle.KERNEL32(00000000), ref: 00683D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069E9A4
GetLastError.KERNEL32 ref: 0069E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0069EA63
GetLastError.KERNEL32(00000000), ref: 0069EA6E
CloseHandle.KERNEL32(00000000), ref: 0069EAA3

Strings

SeDebugPrivilege, xrefs: 0069E9C2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e425acbc3759d443eb295ea4ca55071b89acef195f868bc0006102b87393e254
Instruction ID: 229b283082ba71bf006e9da807f170cc21b8f63efacdf6b6c55cef28586e905a
Opcode Fuzzy Hash: e425acbc3759d443eb295ea4ca55071b89acef195f868bc0006102b87393e254
Instruction Fuzzy Hash: 95418A716002019FDB14EF54D895BADB7A6AF81314F08845CF9469B3D2CB76A805CF9A

Function 00682F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00683033

Strings

stop, xrefs: 00683004
warning, xrefs: 0068301C
question, xrefs: 00682FEC
blank, xrefs: 00682FB5
info, xrefs: 00682FD4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 01a1258ed67c3a70ea29eeb4bb3007c4ee619e5c0b99330f70c88104ae6e67cc
Instruction ID: 0a72090bf74c5a780a97eda011cb4b769ddedb9562bf7795a0ab2d40c0012628
Opcode Fuzzy Hash: 01a1258ed67c3a70ea29eeb4bb3007c4ee619e5c0b99330f70c88104ae6e67cc
Instruction Fuzzy Hash: C8112731748357BEE714BB54EC42CAB779FDF19720B20012AFA00A6382DBB1AF4057A5

Function 006842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00684312
LoadStringW.USER32(00000000), ref: 00684319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068432F
LoadStringW.USER32(00000000), ref: 00684336
_wprintf.LIBCMT ref: 0068435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0068437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00684357

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e34bef94b272b5503b715f240a239a30d7648f930345dbf923cbbd2f89fc9935
Instruction ID: 0ccd2dd472e6d31dd414aea5ed833102f8b44dd296d73b61de1ffd07242acef2
Opcode Fuzzy Hash: e34bef94b272b5503b715f240a239a30d7648f930345dbf923cbbd2f89fc9935
Instruction Fuzzy Hash: 8F01A2F2840208BFE750BBE0DD89EE7776DDB09300F0015A1B705E2111EA706E854F75

Function 00622A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 00622ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00622B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 0065C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 0065C286

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: dd74330f0a3ad2cd98a99529353fabb8d644a25c67af610728ea93679de8b1d0
Instruction ID: e897307dcaf9aeb8865a271ceff322470f1423061458729c182a40969c6c5d6e
Opcode Fuzzy Hash: dd74330f0a3ad2cd98a99529353fabb8d644a25c67af610728ea93679de8b1d0
Instruction Fuzzy Hash: 53414D30204F91BEC7359B28FCA87AB7BD3AB46315F14942DE44746A60C635A886DF11

Function 006870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006870DD

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00687114
RtlEnterCriticalSection.NTDLL(?), ref: 00687130
_memmove.LIBCMT ref: 0068717E
_memmove.LIBCMT ref: 0068719B
RtlLeaveCriticalSection.NTDLL(?), ref: 006871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006871DE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: ed995f1fd168db70ead5fadea607f81ce560d77a236977caee7234df16caaad5
Instruction ID: 1cef7e9c73e8cf84384f0bfd7bbf5039d96448ebb08f32e0a60254a786b1dfae
Opcode Fuzzy Hash: ed995f1fd168db70ead5fadea607f81ce560d77a236977caee7234df16caaad5
Instruction Fuzzy Hash: A2317031900215EBDB50EFA4DC85AAEB77AEF45710F1441B9F904AB246DB30EE14CB65

Function 006A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006A61EB
GetDC.USER32(00000000), ref: 006A61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A61FE
ReleaseDC.USER32(00000000,00000000), ref: 006A620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006A6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006A6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 006A6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006A62B1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8e459d20c058537f1852a3fff408cb5d3e618373e002084a47e20a6f2cecfb54
Instruction ID: 759c2eef592ddb361a695049fc793ec4ecf4b221c24df7ab1cc422a7da0b1f89
Opcode Fuzzy Hash: 8e459d20c058537f1852a3fff408cb5d3e618373e002084a47e20a6f2cecfb54
Instruction Fuzzy Hash: 753171721012107FEB115F50CC4AFEB3BAAEF4A755F085065FE089A292C675AC41CF75

Function 00621424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854f517c5de8287809ee8e70b96f01f794f61381fa4d78ef0ac1b09b4a45ddd1
Instruction ID: 7e662c882a9078fb6fca041aeb61932a1d78a25b7a3ea4dba569b1ecfd99c302
Opcode Fuzzy Hash: 854f517c5de8287809ee8e70b96f01f794f61381fa4d78ef0ac1b09b4a45ddd1
Instruction Fuzzy Hash: 9A719E30904519EFCB04DF98DC48AFEBBBAFF86310F108159F915AA251C734AA52CF65

Function 006AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01512670), ref: 006AB3EB
IsWindowEnabled.USER32(01512670), ref: 006AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006AB4DB
SendMessageW.USER32(01512670,000000B0,?,?), ref: 006AB512
IsDlgButtonChecked.USER32(?,?), ref: 006AB54F
GetWindowLongW.USER32(01512670,000000EC), ref: 006AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006AB589

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c5a4691d39baface497b0da9f905672bf8626e394cbdd4b4e913b2ea2fbe6dff
Instruction ID: af0c029c6dea43644c6698ae30420bc80923edb102838336c74a4ac0f16b323e
Opcode Fuzzy Hash: c5a4691d39baface497b0da9f905672bf8626e394cbdd4b4e913b2ea2fbe6dff
Instruction Fuzzy Hash: 31716834605204AFEF20AF65C894BEA7BEBEB0B300F146059E956973A7C732AD51DF50

Function 0069F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F448
_memset.LIBCMT ref: 0069F511
ShellExecuteExW.SHELL32(?), ref: 0069F556

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

GetProcessId.KERNEL32(00000000), ref: 0069F5CD
CloseHandle.KERNEL32(00000000), ref: 0069F5FC

Strings

@, xrefs: 0069F525

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 469a95018e21ef19e1a6d73c47832c96a0b5184e9f92d5b92a71733b568aaa72
Instruction ID: 3f83e0594195dd0790e1a65f97363b2152d527e92822d4598c5377bcd6bbd481
Opcode Fuzzy Hash: 469a95018e21ef19e1a6d73c47832c96a0b5184e9f92d5b92a71733b568aaa72
Instruction Fuzzy Hash: 5D617975A006299FCF04EFA4C4819AEBBB6FF49310F158469E815AB751CB30AD41CF98

Function 00680F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00680F8C
GetKeyboardState.USER32(?), ref: 00680FA1
SetKeyboardState.USER32(?), ref: 00681002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00681030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0068104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00681095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006810B8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction ID: 57e8740905469f46659cf2cb130e6d6aee413c74f1901aaae63b13dc403a4b88
Opcode Fuzzy Hash: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction Fuzzy Hash: 2B51D3605046D539FB3663348C15BF6BEAF5B07304F088A89E2D88A9D3C699ECCAD751

Function 00680D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00680DA5
GetKeyboardState.USER32(?), ref: 00680DBA
SetKeyboardState.USER32(?), ref: 00680E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00680E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00680E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00680EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00680EC9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction ID: 744c3b67b03a4ed9cef68f0c9e6a93ad3c8e41cf58521fd076232787c40d3523
Opcode Fuzzy Hash: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction Fuzzy Hash: 795104A05046D53DFB72A3648C55BBA7EAA5F06300F088E88E1D48A9C2C395EC8DD751

Function 006855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0068560A
_wcsncpy.LIBCMT ref: 0068563F
_wcsncpy.LIBCMT ref: 00685671
_wcsncpy.LIBCMT ref: 006856A4
_wcsncpy.LIBCMT ref: 006856E6
_wcsncpy.LIBCMT ref: 00685720
_wcsncpy.LIBCMT ref: 0068574F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e323a1c0835ca24538203384ad122820b913bd50d2ad215dc94480531ed9e016
Instruction ID: 8535b5b911666926bdfa0947689cbfa78690b00546b10fdcaa45a79352ef6fe0
Opcode Fuzzy Hash: e323a1c0835ca24538203384ad122820b913bd50d2ad215dc94480531ed9e016
Instruction Fuzzy Hash: 35419065C1061476CB51FBF48886ACFB3BADF04310F50896AF509E3221FB34A795C7AA

Function 00683671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00683697,?), ref: 0068468B

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00683697,?), ref: 006846A4

lstrcmpiW.KERNEL32(?,?), ref: 006836B7
_wcscmp.LIBCMT ref: 006836D3
MoveFileW.KERNEL32(?,?), ref: 006836EB
_wcscat.LIBCMT ref: 00683733
SHFileOperationW.SHELL32(?), ref: 0068379F

Strings

\*.*, xrefs: 0068372D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: b889670066da2c11bcf2e90630763512fde85663df91e6629a4647f5af89616e
Instruction ID: 9f057983693d810b4434c9fe5462c5b5dd70fd420ecabd3c19ad80e7057b83e1
Opcode Fuzzy Hash: b889670066da2c11bcf2e90630763512fde85663df91e6629a4647f5af89616e
Instruction Fuzzy Hash: 6741B171508345AEC795FF64C441ADFB7E9EF89740F000A2EF49AC3251EA34D689CB5A

Function 006A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7351
IsMenu.USER32(?), ref: 006A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A73B1
DrawMenuBar.USER32 ref: 006A73C4

Strings

0, xrefs: 006A729E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1ef317f5a22627461e33c5d747450aa036285e036ea2901b9331ef2ed6664f5e
Instruction ID: 521ad939028b149c593abf3e03a777e51ac6af47e93d31638fd0e9f1ee3285b8
Opcode Fuzzy Hash: 1ef317f5a22627461e33c5d747450aa036285e036ea2901b9331ef2ed6664f5e
Instruction Fuzzy Hash: 35412275A00208AFDF20EF90D884AAABBEAEF0A315F159429FD05AB250D730AD14DF50

Function 006A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A0FFE
FreeLibrary.KERNEL32(00000000), ref: 006A10B5

Part of subcall function 006A0FA5: RegCloseKey.ADVAPI32(?), ref: 006A101B
Part of subcall function 006A0FA5: FreeLibrary.KERNEL32(?), ref: 006A106D
Part of subcall function 006A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 006A1058

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 8eb802f412f3ac4dbf3b78095fd1a04e8064be768a3b223283a4e71f7b75c798
Instruction ID: b578683819a43612c39ec21064c3325f00651502cf733fdc39b653c5dd018938
Opcode Fuzzy Hash: 8eb802f412f3ac4dbf3b78095fd1a04e8064be768a3b223283a4e71f7b75c798
Instruction Fuzzy Hash: 87312F71900109BFEB15AF90DC89EFFB7BDEF0A300F000169E501E6241DA746E859EA5

Function 006A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006A62EC
GetWindowLongW.USER32(01512670,000000F0), ref: 006A631F
GetWindowLongW.USER32(01512670,000000F0), ref: 006A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006A63DB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5d113b94918ac03ecc7ebb2a460f24d3e46904bb9cbccfc11362563f30369c19
Instruction ID: 203aff8eec79933ef509914d1ef277fadb9c6cb8f1e3c0a3df3225f7b567af8e
Opcode Fuzzy Hash: 5d113b94918ac03ecc7ebb2a460f24d3e46904bb9cbccfc11362563f30369c19
Instruction Fuzzy Hash: 2531FF34640290EFDB20AF58DC84F9637E2FB4A714F1961A8F5518F2B2CB61AC419F51

Function 0067DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DB54
SysAllocString.OLEAUT32(00000000), ref: 0067DB57
SysAllocString.OLEAUT32(?), ref: 0067DB75
SysFreeString.OLEAUT32(?), ref: 0067DB7E
StringFromGUID2.COMBASE(?,?,00000028), ref: 0067DBA3
SysAllocString.OLEAUT32(?), ref: 0067DBB1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7669dc6dba1e1ac3ca2e4a3d7896b9655126d4d43965e62a5fc8e4cd50cc7804
Instruction ID: 3aa30b2f5a7d8b57757b3115d45e7f64e2f9b97901b771bd788c5dc79f68f139
Opcode Fuzzy Hash: 7669dc6dba1e1ac3ca2e4a3d7896b9655126d4d43965e62a5fc8e4cd50cc7804
Instruction Fuzzy Hash: B8217176600219AFDB10AFB8DC84CBB73AEEF09760B018525F918DB291D670AC418B64

Function 00696173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00697D8B: inet_addr.WS2_32(00000000), ref: 00697DB6

socket.WS2_32(00000002,00000001,00000006), ref: 006961C6
WSAGetLastError.WS2_32(00000000), ref: 006961D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0069620E
connect.WSOCK32(00000000,?,00000010), ref: 00696217
WSAGetLastError.WS2_32 ref: 00696221
closesocket.WS2_32(00000000), ref: 0069624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00696263

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 34e708f5cd573531c51d8f4f4370fb0fd0921db307012fd682a7c3d50fe0b3fc
Instruction ID: 1bb082412936253514ae1bb2964184567a53876f86718f66581417e1b6f3ab5b
Opcode Fuzzy Hash: 34e708f5cd573531c51d8f4f4370fb0fd0921db307012fd682a7c3d50fe0b3fc
Instruction Fuzzy Hash: 4831AF31600218AFEF10AF64DC85BBE7BAEEF45760F044029F905A7291DB74AD048BA2

Function 0067F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067F671
__wcsnicmp.LIBCMT ref: 0067F692
__wcsnicmp.LIBCMT ref: 0067F6AC

Strings

#OnAutoItStartRegister, xrefs: 0067F6A6
#requireadmin, xrefs: 0067F68C
#notrayicon, xrefs: 0067F669

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a4f82da294ba3c3883fed420be3a74e708fa572095e069d44cc9b1fd815775df
Instruction ID: b54719dcb0c3059a9a84b7c81941033badd86ae7b09992faf7259d51bf50835c
Opcode Fuzzy Hash: a4f82da294ba3c3883fed420be3a74e708fa572095e069d44cc9b1fd815775df
Instruction Fuzzy Hash: 0721497221452266D324A734FC12EE773DBDF55340F10C03DF98987291EB919D82D399

Function 0067DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DC2F
SysAllocString.OLEAUT32(00000000), ref: 0067DC32
SysAllocString.OLEAUT32 ref: 0067DC53
SysFreeString.OLEAUT32 ref: 0067DC5C
StringFromGUID2.COMBASE(?,?,00000028), ref: 0067DC76
SysAllocString.OLEAUT32(?), ref: 0067DC84

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e636407ed8c778662b96db4e87b372ffa25a9e57c7e1e892169d6ba9d91df9d1
Instruction ID: 24365e95b24fb5e2a740e792b06e539344ab2e0b79060e41d4bcd8e195d59539
Opcode Fuzzy Hash: e636407ed8c778662b96db4e87b372ffa25a9e57c7e1e892169d6ba9d91df9d1
Instruction Fuzzy Hash: BA213075604214AF9B10ABF8DC88DAB77FEEF09360B10C525F919CB261DAB4EC41CB65

Function 006A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006A7665

Strings

Msctls_Progress32, xrefs: 006A7603

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1fe49cfc8fdebba832ce247e1bd971d1521ba000d46ef84e71390d0c01ffa31f
Instruction ID: bd553e0a85f657973b164fe7e18070dee225b170ad4d4c25d94383f21ed6f13a
Opcode Fuzzy Hash: 1fe49cfc8fdebba832ce247e1bd971d1521ba000d46ef84e71390d0c01ffa31f
Instruction Fuzzy Hash: DE11C4B2110219BFEF119F64CC85EE77F6EEF09798F015115BA04A61A0CB72AC21DFA4

Function 00649AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00649AE6

Part of subcall function 00643187: RtlEncodePointer.NTDLL(00000000), ref: 0064318A
Part of subcall function 00643187: __initp_misc_winsig.LIBCMT ref: 006431A5
Part of subcall function 00643187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00649EA0
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00649EB4
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00649EC7
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00649EDA
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00649EED
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00649F00
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00649F13
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00649F26
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00649F39
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00649F4C
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00649F5F
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00649F72
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00649F85
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00649F98
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00649FAB
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00649FBE

__mtinitlocks.LIBCMT ref: 00649AEB
__mtterm.LIBCMT ref: 00649AF4

Part of subcall function 00649B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00649C56
Part of subcall function 00649B5C: _free.LIBCMT ref: 00649C5D
Part of subcall function 00649B5C: RtlDeleteCriticalSection.NTDLL(02n), ref: 00649C7F

__calloc_crt.LIBCMT ref: 00649B19
__initptd.LIBCMT ref: 00649B3B
GetCurrentThreadId.KERNEL32 ref: 00649B42

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: fa59d3e6969e5a3e6631f39723e2e4f86206903847f1be49fd43e935df06f30b
Instruction ID: ec3e05c5008202a141ea4cca7ff3cfe3a0ec1d1bd92a80a7b345806fbf125798
Opcode Fuzzy Hash: fa59d3e6969e5a3e6631f39723e2e4f86206903847f1be49fd43e935df06f30b
Instruction Fuzzy Hash: 1AF06232A8A71159E7B47774BC0368B2697DF02738B200A1EF4608A1D2EE11944145B8

Function 0064406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00643F85), ref: 00644085
GetProcAddress.KERNEL32(00000000), ref: 0064408C
RtlEncodePointer.NTDLL(00000000), ref: 00644097
RtlDecodePointer.NTDLL(00643F85), ref: 006440B2

Strings

RoUninitialize, xrefs: 00644074
combase.dll, xrefs: 00644080

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 916b2735653e19e82b9ee8d8ffee7af52a22e5ccb3e39ee0ba86097ea55d6211
Instruction ID: 3fe56b4b529b6bd72cb1c2dc39cbb5dc7c5b08c93d98b5b6976e16667b0b9342
Opcode Fuzzy Hash: 916b2735653e19e82b9ee8d8ffee7af52a22e5ccb3e39ee0ba86097ea55d6211
Instruction Fuzzy Hash: 42E09A70541351AFDB10BFA2EC4DB857AA7BB15742F106428F101E66A0CB7656449F15

Function 00696B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00696C00
WSAGetLastError.WS2_32(00000000), ref: 00696C34
htons.WS2_32(?), ref: 00696CEA
inet_ntoa.WS2_32(?), ref: 00696CA7

Part of subcall function 0067A7E9: _strlen.LIBCMT ref: 0067A7F3
Part of subcall function 0067A7E9: _memmove.LIBCMT ref: 0067A815

_strlen.LIBCMT ref: 00696D44
_memmove.LIBCMT ref: 00696DAD

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 1102d36d2d88e6eac33cdcd06cfb6606f8b1a7936f97a7b8adcb8acb6513672c
Instruction ID: fd5c690e07f888df5bf0a85975a7b73d716c13756baa051db6c110e8810b25c0
Opcode Fuzzy Hash: 1102d36d2d88e6eac33cdcd06cfb6606f8b1a7936f97a7b8adcb8acb6513672c
Instruction Fuzzy Hash: 3C81F071204710AFCB50EF24DC82EABB7AEAF84714F10491DF5569B292DA70ED05CBA6

Function 006864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0068660B
_memmove.LIBCMT ref: 00686546

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

_memmove.LIBCMT ref: 006865B9
_memmove.LIBCMT ref: 006866A0
_memmove.LIBCMT ref: 006866B9
_memmove.LIBCMT ref: 006866D5

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a4097bd3aa1f2db29de2292cb6da4cddf4ce332e667ae79a614bebd342b3e3e5
Instruction ID: 23611d59c02445d69d6d524a2bf37a6e328c1d525c5bb74883ee2f800525c921
Opcode Fuzzy Hash: a4097bd3aa1f2db29de2292cb6da4cddf4ce332e667ae79a614bebd342b3e3e5
Instruction Fuzzy Hash: 9161AD309006AA9BDF41FF60CC81EFE37A6AF45308F04461DF9156B292EB349D56CB69

Function 006A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006A038C
RegCloseKey.ADVAPI32(00000000), ref: 006A0399

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 85e72174ca7c04f5190d4b3fcf63097b5f64d7a1e7b8649a28ab2b91d05c6710
Instruction ID: 455028460df54ae4cc27d2cc50a0d382dfaf3fa642a09cf48702528f1bc5a1bf
Opcode Fuzzy Hash: 85e72174ca7c04f5190d4b3fcf63097b5f64d7a1e7b8649a28ab2b91d05c6710
Instruction Fuzzy Hash: A7515831108201AFDB50EF64D895EAABBEAFF86314F04491DF585872A2DB31E905CF56

Function 006A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006A57FB
GetMenuItemCount.USER32(00000000), ref: 006A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006A585A
GetMenuItemID.USER32(?,?), ref: 006A58C9
GetSubMenu.USER32(?,?), ref: 006A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 006A5928

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 6161c74d8946684828cc6d09e68d2c4e39d2ebd3da16ec440b2fd67fdbb5e9b0
Instruction ID: b7af39619926017521697e097ab5b651e02d17029cdcc652c5e5fad047974d21
Opcode Fuzzy Hash: 6161c74d8946684828cc6d09e68d2c4e39d2ebd3da16ec440b2fd67fdbb5e9b0
Instruction Fuzzy Hash: 6A516D35E00A25EFCF51EFA4C8459AEB7B6EF49320F144469E812BB351CB34AE418F94

Function 0067EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067EF06
VariantClear.OLEAUT32(00000013), ref: 0067EF78
VariantClear.OLEAUT32(00000000), ref: 0067EFD3
_memmove.LIBCMT ref: 0067EFFD
VariantClear.OLEAUT32(?), ref: 0067F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0067F078

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 24ceff4c54742d91a9fef9f27c07f4390cb914351a44581edef69e396c5633dd
Instruction ID: e5b54a2158aef4796c734bcba351af4e34de7b00e22304efe1c1f3d2e35298aa
Opcode Fuzzy Hash: 24ceff4c54742d91a9fef9f27c07f4390cb914351a44581edef69e396c5633dd
Instruction Fuzzy Hash: 7C5154B5A00209EFCB10DF58C890EAAB7B9FF4D310B15856AE949DB301E335E911CFA0

Function 0068220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006822A3
IsMenu.USER32(00000000), ref: 006822C3
CreatePopupMenu.USER32 ref: 006822F7
GetMenuItemCount.USER32(000000FF), ref: 00682355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00682386

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction ID: b8f63a9e5371bac4d67a533dcf637671f5db659cc8d4ea0f9cfc181e93cba41f
Opcode Fuzzy Hash: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction Fuzzy Hash: 7E519E70A0020ADFDF21EF68D8B8BEDBBF6BF45314F104229E851A7290D7749A45CB51

Function 00621765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0062179A
GetWindowRect.USER32(?,?), ref: 006217FE
ScreenToClient.USER32(?,?), ref: 0062181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0062182C
EndPaint.USER32(?,?), ref: 00621876

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: eeb5237df91aa21b80c8d20f7f4ff2fdc868c0a2b70410a0e9a22fabc340b64e
Instruction ID: 86b4ed3640d28c97e36158e7c1ebf91237b74cd4b4406036228fbaddf5c3a7ab
Opcode Fuzzy Hash: eeb5237df91aa21b80c8d20f7f4ff2fdc868c0a2b70410a0e9a22fabc340b64e
Instruction Fuzzy Hash: 2241C130104B50AFC710EF24DCC4FB67BEAEB56324F141268F9A58B2A1C730A845DF62

Function 006AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006E57B0,00000000,01512670,?,?,006E57B0,?,006AB5A8,?,?), ref: 006AB712
EnableWindow.USER32(00000000,00000000), ref: 006AB736
ShowWindow.USER32(006E57B0,00000000,01512670,?,?,006E57B0,?,006AB5A8,?,?), ref: 006AB796
ShowWindow.USER32(00000000,00000004,?,006AB5A8,?,?), ref: 006AB7A8
EnableWindow.USER32(00000000,00000001), ref: 006AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006AB7EF

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction ID: 21262fc8c58e319c6366422d986f261cdd13fb7e06cce8a69f97b41758c69070
Opcode Fuzzy Hash: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction Fuzzy Hash: 0F414B34600240AFDB26EF24D499BD4BBE2FB46310F1851A9E9488F6A3C7B1EC56DF51

Function 0069709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00694E41,?,?,00000000,00000001), ref: 006970AC

Part of subcall function 006939A0: GetWindowRect.USER32(?,?), ref: 006939B3

GetDesktopWindow.USER32 ref: 006970D6
GetWindowRect.USER32(00000000), ref: 006970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0069710F

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

GetCursorPos.USER32(?), ref: 0069713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00697199

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8331ba7524dba4965f5088044e976c8e07f1c7c37d16b7afe3c75aa066042c16
Instruction ID: b41232dd88eb760a2f9f27c169e93ab01b55ac3946ed41056cc011df374a98fd
Opcode Fuzzy Hash: 8331ba7524dba4965f5088044e976c8e07f1c7c37d16b7afe3c75aa066042c16
Instruction Fuzzy Hash: 3931D272509305ABDB20EF54C849B9BB7EAFF89314F040919F58597291DA30EA09CB92

Function 0068EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

_wcstok.LIBCMT ref: 0068EC94
_wcscpy.LIBCMT ref: 0068ED23
_memset.LIBCMT ref: 0068ED56

Strings

X, xrefs: 0068ED93

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 69d2b5873345befe43dfaa09110a877e5a1366be6bb7cd4c1c874d0dd4d79f8f
Instruction ID: eb776ddf910d5a97129e652e66ca358ab8860eb1902c6eeb58950fc93372118f
Opcode Fuzzy Hash: 69d2b5873345befe43dfaa09110a877e5a1366be6bb7cd4c1c874d0dd4d79f8f
Instruction Fuzzy Hash: CCC18E316087519FC7A4EF24D845E9AB7E2BF85310F00492DF8999B2A2DB31EC45CF56

Function 00678879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006780C0
Part of subcall function 006780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006780CA
Part of subcall function 006780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006780D9
Part of subcall function 006780A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 006780E0
Part of subcall function 006780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006780F6

GetLengthSid.ADVAPI32(?,00000000,0067842F), ref: 006788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006788D6
RtlAllocateHeap.NTDLL(00000000), ref: 006788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006788F6
GetProcessHeap.KERNEL32(00000000,00000000,0067842F), ref: 0067890A
HeapFree.KERNEL32(00000000), ref: 00678911

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 0902058155886a10e7e45b4dc3de20bc6623041051d03d5924f96a4ae800bb9d
Instruction ID: 6de13139a6e53c5d055742016ddba3272d50b36310bc7c0f2f9f4d695e11d29b
Opcode Fuzzy Hash: 0902058155886a10e7e45b4dc3de20bc6623041051d03d5924f96a4ae800bb9d
Instruction Fuzzy Hash: F911B131651209FFDB109FA8DC09BFE7B6AEB45311F108168E98997210CB32AD00DF62

Function 0067B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0067B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0067B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0067B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0067B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0067B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0067B7FE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a1d30639d9e52ae881a67c5326ba7799b6abef957cc9f61b2905e91f5d1db8e5
Instruction ID: 86bb9120ad456bb2e177708854f4429da6fb292fb251142d3ed835ae2f454650
Opcode Fuzzy Hash: a1d30639d9e52ae881a67c5326ba7799b6abef957cc9f61b2905e91f5d1db8e5
Instruction Fuzzy Hash: B8018475E00209BBEB10ABE69C45B5EBFB9EB49311F009075FA08A7391D6719C00CF91

Function 00640162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00640193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0064019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006401C1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction ID: 9b170cead01816f48775bddff2091ed510237b8129ec6e92bc15075a8bf64a23
Opcode Fuzzy Hash: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction Fuzzy Hash: 15016CB09017597DE3009F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CFE5

Function 006853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0068540F
GetWindowThreadProcessId.USER32(?,?), ref: 0068541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00685437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068543E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction ID: f3a0cdd420ef09fe85bef568c8d7966fbed167dcaf3bc4f8c12de09b97834fec
Opcode Fuzzy Hash: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction Fuzzy Hash: 83F01D32241558BBE7316BE2DC0DEEB7A7DEBC7B11F001169FA05D10519AA12A018AB6

Function 00687230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00687243
RtlEnterCriticalSection.NTDLL(?), ref: 00687254
TerminateThread.KERNEL32(00000000,000001F6,?,00630EE4,?,?), ref: 00687261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00630EE4,?,?), ref: 0068726E

Part of subcall function 00686C35: CloseHandle.KERNEL32(00000000,?,0068727B,?,00630EE4,?,?), ref: 00686C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00687281
RtlLeaveCriticalSection.NTDLL(?), ref: 00687288

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction ID: 6d2051bdb58148e81017499cd3f7584ddca11c85bf29849ea8ccd497e836a172
Opcode Fuzzy Hash: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction Fuzzy Hash: F2F05E36540612EBD7623BE4ED4CAEA772BEF46702B101631F503910A0DB766A01CF51

Function 006985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00698613
CharUpperBuffW.USER32(?,?), ref: 00698722
VariantClear.OLEAUT32(?), ref: 0069889A

Part of subcall function 00687562: VariantInit.OLEAUT32(00000000), ref: 006875A2
Part of subcall function 00687562: VariantCopy.OLEAUT32(00000000,?), ref: 006875AB
Part of subcall function 00687562: VariantClear.OLEAUT32(00000000), ref: 006875B7

Strings

AUTOIT.ERROR, xrefs: 00698728
Incorrect Parameter format, xrefs: 0069864B, 0069880D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c433ebc22a470ba2ae5f53fb5b34286b93c52b99f9a47535cc07fd904a36f043
Instruction ID: 2d154a699428f45d4810960e5a35ab8b6a8f6ad080598e06f3f9e9ec47be6e56
Opcode Fuzzy Hash: c433ebc22a470ba2ae5f53fb5b34286b93c52b99f9a47535cc07fd904a36f043
Instruction Fuzzy Hash: 22918170A047019FCB50DF24C48495AB7EAEF8A714F14896EF89A8B361DB31ED45CF62

Function 00682A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

_memset.LIBCMT ref: 00682B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00682BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00682C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00682C97

Strings

0, xrefs: 00682B73

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 3d2ed9edaa4af86909404961016a998b981c937bafc3b691d48191f4de9b1146
Instruction ID: 33c303742a97b017d4f64c511241e795ea3129d0ce5568d5c3ee221398b81001
Opcode Fuzzy Hash: 3d2ed9edaa4af86909404961016a998b981c937bafc3b691d48191f4de9b1146
Instruction Fuzzy Hash: 9C51DE715093029BD7A4AF28D865ABFB7EAEF59314F040B2DF891D22D0DB70CD048B56

Function 00633137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00633277
_memmove.LIBCMT ref: 00633310
_free.LIBCMT ref: 00633336
_memmove.LIBCMT ref: 006333E9

Strings

_c, xrefs: 00633322
3cc, xrefs: 00633225

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cc$_c
API String ID: 2620147621-1111051329
Opcode ID: 8f233d3cc3cc69c38f6e163c5f9402b6e32ee729320b1efba29259b51028e695
Instruction ID: 950d898abc75073d1edd5b6a86c164c6e387b2f504affc86a204c84a97743545
Opcode Fuzzy Hash: 8f233d3cc3cc69c38f6e163c5f9402b6e32ee729320b1efba29259b51028e695
Instruction Fuzzy Hash: 10515B71A083519FDB65CF28C851B6ABBF6EF85310F48882DE989C7351DB31E945CB82

Function 0067D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0067D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0067D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0067D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0067D69D

Strings

DllGetClassObject, xrefs: 0067D610

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 53d9b035e2fee833f621f9d1650e55a3a0bf4519afd13469ba44ee347e0c35c1
Instruction ID: 50e195248313518907e73ea6b9b57e9758db63305605e38e3f0c94f2bf925154
Opcode Fuzzy Hash: 53d9b035e2fee833f621f9d1650e55a3a0bf4519afd13469ba44ee347e0c35c1
Instruction Fuzzy Hash: 7F416BB1600204EFDB15DF64C884A9ABBBAEF85314F1589ADED0D9F205D7B1DD44CBA0

Function 00682753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00682822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E5890,00000000), ref: 0068286B

Strings

0, xrefs: 006827B5

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction ID: 8230fb6b744dc1201f1e21fe6833179f38fcabdea69d404c2d93624a901fc133
Opcode Fuzzy Hash: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction Fuzzy Hash: 3E41A2B0604302AFDB20EF24C894B5ABBE6EF85314F144A2EF56597391D730A809CB56

Function 0069D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069D7C5

Part of subcall function 0062784B: _memmove.LIBCMT ref: 00627899

Strings

none, xrefs: 0069D8A0
stdcall, xrefs: 0069D847
winapi, xrefs: 0069D836
cdecl, xrefs: 0069D81C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 88b8450aa4d961ef7caa3a356f0722434f1f659ed47e54e366a8674a5fe1eb97
Instruction ID: 7090993f51f207caa462c4857164f6f3373901bd30fac93a3fc3eb1f4f646b02
Opcode Fuzzy Hash: 88b8450aa4d961ef7caa3a356f0722434f1f659ed47e54e366a8674a5fe1eb97
Instruction Fuzzy Hash: FC31B271904615ABCF10EF54CD519FEB7BAFF05320B10862EE865977D2DB31A905CB90

Function 00678E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00678F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00678F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00678F57

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Strings

ComboBox, xrefs: 00678E9E
ListBox, xrefs: 00678ED3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 2a1a5dad9bd30ff0574467c6687e8e7d31177a1668a080e6fc0d7fe9d08fe3ac
Instruction ID: 17b783d72ba3da089c89e48a41d7b5c5e6c2b40654e9eba54c4de70d9cf70e7c
Opcode Fuzzy Hash: 2a1a5dad9bd30ff0574467c6687e8e7d31177a1668a080e6fc0d7fe9d08fe3ac
Instruction Fuzzy Hash: A7210471A40108BEDB14ABB0DC49CFFB76BDF46360B14852EF429972E0DF395C099A60

Function 0069182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00691872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006918A2
InternetCloseHandle.WININET(00000000), ref: 006918E9

Part of subcall function 00692483: GetLastError.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 00692498
Part of subcall function 00692483: SetEvent.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 006924AD

Strings

, xrefs: 00691893

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 20bb029bf745e6c6b91c10d304d482f59cff4a3df71b1b2cf1b8d1c60208247a
Instruction ID: 53247830d29cc2eb6b8247e47f622bbcf16322800c8f008acbc2789d82321532
Opcode Fuzzy Hash: 20bb029bf745e6c6b91c10d304d482f59cff4a3df71b1b2cf1b8d1c60208247a
Instruction Fuzzy Hash: 6F21C2B5500309BFEF11AF60DD85EBF77EEEB4A744F20412BF4059A640DB209E056BA5

Function 006A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006A6461
LoadLibraryW.KERNEL32(?), ref: 006A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006A647D
DestroyWindow.USER32(?), ref: 006A6485

Strings

SysAnimate32, xrefs: 006A643C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7ccf663a4184a950e92c86625532e646c38af353af789639532431d9a3133a50
Instruction ID: 5e43bb721e988de7733226c9622b3b107fc9013cd1759c1aeaf79f8cff6b0888
Opcode Fuzzy Hash: 7ccf663a4184a950e92c86625532e646c38af353af789639532431d9a3133a50
Instruction Fuzzy Hash: CC218071100205ABEF106FA4DC40EBB77EAEF5A328F189629F910962A0D7719C519FA0

Function 00686D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00686DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00686DEF
GetStdHandle.KERNEL32(0000000C), ref: 00686E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00686E3B

Strings

nul, xrefs: 00686E36

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 46f6c43a7fb12f475e1b6225021d9cd1ef9bcd61017d69511991e98ccd03319b
Instruction ID: b91e58f5f2084c622b6a141aa4c5b97c25d7d35dfe4b854de50d59cc04ba014f
Opcode Fuzzy Hash: 46f6c43a7fb12f475e1b6225021d9cd1ef9bcd61017d69511991e98ccd03319b
Instruction Fuzzy Hash: E2219274600209ABDB20BF69DC04B9A77F6EF45720F204719FDA1D73D0D77099518B54

Function 00686E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00686E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00686EBB
GetStdHandle.KERNEL32(000000F6), ref: 00686ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00686F06

Strings

nul, xrefs: 00686F01

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c5deb0fd7ea96182c688c41f83aee1672e4f5183dd2225f7c6e13d212ccd2c22
Instruction ID: f74a6c15c0d07d66acc301ce95042280f6efd759627f02779025c56768f8ff22
Opcode Fuzzy Hash: c5deb0fd7ea96182c688c41f83aee1672e4f5183dd2225f7c6e13d212ccd2c22
Instruction Fuzzy Hash: 8821C4755043059BDB20AF69DC08AAA77EAEF45724F200B19FDA1D33D0DB70A941CB11

Function 0068AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0068ACA8
__swprintf.LIBCMT ref: 0068ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,006AF910), ref: 0068ACFF

Strings

%lu, xrefs: 0068ACBB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fb4a8868dc2cb786918ab447f8dd16cca0b6c609b27f487d04538ed7aca1b916
Instruction ID: 56631174d477f82ab7b3c8966273dcd18c521342521ea0e7c6d02ea78129a62c
Opcode Fuzzy Hash: fb4a8868dc2cb786918ab447f8dd16cca0b6c609b27f487d04538ed7aca1b916
Instruction Fuzzy Hash: AB21A130A00109AFCB50EFA4D945DEE7BB9EF89314B004069F9099B351DA71EE41CF21

Function 00681142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 0068115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 00681184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 0068118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 006811C1

Strings

@h, xrefs: 0068119D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @h
API String ID: 2875609808-2031928309
Opcode ID: a97b592bc62a87e82f4564ca1166d2185eeb383ef76fddd90bae29eb0f1e426f
Instruction ID: d9fcea7a5059a1c726c3ad701df681928a89ef1556cc4b8da9e6d490ad01eade
Opcode Fuzzy Hash: a97b592bc62a87e82f4564ca1166d2185eeb383ef76fddd90bae29eb0f1e426f
Instruction Fuzzy Hash: 40113031D0051DD7CF00AFE5D9486EEBB7EFF0A711F004565DA85B6240CB70A552CB95

Function 00681AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00681B19

Strings

APPEND, xrefs: 00681B52
EXISTS, xrefs: 00681B41
REMOVE, xrefs: 00681B1F
KEYS, xrefs: 00681B30

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 232bdf3c3bd3eb0dc867c16dbc25674eb455c71a5e85cbd6ca6c37ed2dbd3e1e
Instruction ID: 07f54443f956bcf4435af38e9391c97b1b77ae170304b20e59bd31fc01aae992
Opcode Fuzzy Hash: 232bdf3c3bd3eb0dc867c16dbc25674eb455c71a5e85cbd6ca6c37ed2dbd3e1e
Instruction Fuzzy Hash: 72113C709402189FCF80EF94E8558EEB7B6BF26304F1045A9D955AB392EB325D06CB54

Function 0069EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0069EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0069EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0069ED6A
CloseHandle.KERNEL32(?), ref: 0069EDEB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 05813213a07026af20b74ff3ddf5d8fc639493b3112683fb33c692339152986b
Instruction ID: b62e32bb5af54b19abfeb4aab31fd306908fdee9dcdf2d7a8d2fd1c740956c97
Opcode Fuzzy Hash: 05813213a07026af20b74ff3ddf5d8fc639493b3112683fb33c692339152986b
Instruction Fuzzy Hash: 5881C1716007109FDB60EF28D846F6AB7E6AF88710F04891DF9999B3D2D671AC04CF95

Function 006A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006A0183
RegCloseKey.ADVAPI32(?,?), ref: 006A01AF
RegCloseKey.ADVAPI32(00000000), ref: 006A01BC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: c0d60e3d56524756a207ccde7b45ddd4b3fa3e0d14675b3549b98ad2b3b91a2c
Instruction ID: c3a80c13c2a79f6b19de7150af2da86b1b92e6f38ee4234d8f06f998d6789080
Opcode Fuzzy Hash: c0d60e3d56524756a207ccde7b45ddd4b3fa3e0d14675b3549b98ad2b3b91a2c
Instruction Fuzzy Hash: D6519D71208204AFD754EFA4D881EAAB7EAFF85304F40882DF585872A2DB31ED05CF56

Function 0069D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0069D927
GetProcAddress.KERNEL32(00000000,?), ref: 0069D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0069D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0069DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0069DA21

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: e37b155869c84ff0d89336054d0a4edf5a18b7791798bebd88e40c1e7d988062
Instruction ID: 92b81e938d8615ea30fdb99d7b9584f540c3c59e4185369e8f9551e195ae7941
Opcode Fuzzy Hash: e37b155869c84ff0d89336054d0a4edf5a18b7791798bebd88e40c1e7d988062
Instruction Fuzzy Hash: BE512735A00619DFCB40EFA8D4849ADB7FAFF59320B048069E85AAB312D731AD45CF95

Function 0068E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0068E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0068E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0068E687

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0068E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0068E6B4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 2263d5279e85b5fac2caffb0c45816aa82f0fd63d3564f46ffed7d42f0e5fd09
Instruction ID: da7fe4f074edda384fcef5a686a59aa3de464c35ed9baca6fddc94690c8080d7
Opcode Fuzzy Hash: 2263d5279e85b5fac2caffb0c45816aa82f0fd63d3564f46ffed7d42f0e5fd09
Instruction Fuzzy Hash: 78516C35A00515DFCB40EFA4D981AAEBBF6EF49310F1484A9E809AB361CB31ED50CF64

Function 006AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea4cda28c5dab004682f628e981d084c0401172dfd828254600c62c1af930bf
Instruction ID: 7ddce56e616f906edc444373e6c6eefef350fcc672d35dc3a286ea1c4f989b1f
Opcode Fuzzy Hash: dea4cda28c5dab004682f628e981d084c0401172dfd828254600c62c1af930bf
Instruction Fuzzy Hash: 16419135904214BBD720BFA8CC88FE9BBA6EB0B310F140166E816A73E1C730AD51DE52

Function 00622344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00622357
ScreenToClient.USER32(006E57B0,?), ref: 00622374
GetAsyncKeyState.USER32(00000001), ref: 00622399
GetAsyncKeyState.USER32(00000002), ref: 006223A7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d99a8aaf25ca02b9ad104c67a842dd3c6a631d0823d925975bd44ad90aeea239
Instruction ID: e9ffb7fa928dc5c92ad80895d2c14433443af1740e9662db28d289bb8e3462ff
Opcode Fuzzy Hash: d99a8aaf25ca02b9ad104c67a842dd3c6a631d0823d925975bd44ad90aeea239
Instruction Fuzzy Hash: 4E418F35604616FFCF15DF68C844AE9BBB6FB05361F20431AF828A22A0CB35AD54DF91

Function 006763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00676433
TranslateMessage.USER32(?), ref: 0067645C
DispatchMessageW.USER32(?), ref: 00676466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00676475

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5c814508b36d4a9215b65fdfe03baa6262442f89216969c1344117ff317109cf
Instruction ID: 5a9103cd786ae12ad75dd46fb06f2ab0ce1917ef0364de60e201cf52d23448a6
Opcode Fuzzy Hash: 5c814508b36d4a9215b65fdfe03baa6262442f89216969c1344117ff317109cf
Instruction Fuzzy Hash: 7B310730900B52AFDB64CFB0CC84BF67BEBAB01314F14E169F42AC62A4E7359849DB51

Function 00678A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00678A30
PostMessageW.USER32(?,00000201,00000001), ref: 00678ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00678AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00678AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00678AF8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction ID: 33fff4dca6ce22245742fe64476b7da2ed108ec4994cafc154b33fc197526965
Opcode Fuzzy Hash: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction Fuzzy Hash: 5031AD71500219EFDB14CFA8D94CADE3BA6EB05315F10822AF929E72D1CBB09D14DB91

Function 0067B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0067B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0067B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0067B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0067B27F
_wcsstr.LIBCMT ref: 0067B289

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 38ad71fe6c922f1a7e5d9f4d43ee31efac38e967b073ba2a899359e1f27631bf
Instruction ID: 5b8b979c0051f1c00fdc95838d303637cf9552942e4ab5d48d0fa80378673ac9
Opcode Fuzzy Hash: 38ad71fe6c922f1a7e5d9f4d43ee31efac38e967b073ba2a899359e1f27631bf
Instruction Fuzzy Hash: EF2107316052017BEB155B759C09FBF7B9ADF4A710F00913DF808DA262EF71DD4196A1

Function 006AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetWindowLongW.USER32(?,000000F0), ref: 006AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006AB1CF
GetSystemMetrics.USER32(00000004), ref: 006AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00690E90,00000000), ref: 006AB216

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 830c385daf4cfe6b4aa77d375e07b540245a21ef64447459e3d3d6a01f688d53
Instruction ID: 14a70783fdc27547c65386a6ad90ffc6f2289e8730457e2f3f829d09c75e26f8
Opcode Fuzzy Hash: 830c385daf4cfe6b4aa77d375e07b540245a21ef64447459e3d3d6a01f688d53
Instruction Fuzzy Hash: A121A231910261AFCB10AF78DC14BAA37A6EB06321F145739B932C72E1E7309D618F90

Function 00679307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00679320

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679352
__itow.LIBCMT ref: 0067936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679392
__itow.LIBCMT ref: 006793A3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 5fadc526489b37c8cd817d411de08d67057949de972e5d154a784680420ac84d
Instruction ID: 42f7ea4b2874c3b240b60b9422b991be54c5bca2b66f8ba397eba19e7c1213d7
Opcode Fuzzy Hash: 5fadc526489b37c8cd817d411de08d67057949de972e5d154a784680420ac84d
Instruction Fuzzy Hash: D6210A31700214ABDB10AF609C85EEE7BEFEB49721F149029FD08D73D0D6708D458BA2

Function 00695A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00695A6E
GetForegroundWindow.USER32 ref: 00695A85
GetDC.USER32(00000000), ref: 00695AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00695ACD
ReleaseDC.USER32(00000000,00000003), ref: 00695B08

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2d045b3e439f4bd427d076ddcfee59b966384366498d4100023c6f14871af822
Instruction ID: 479a542d50d65aa6b6c9706b2245b197eb7c8abd42db65bac18577d4a9609b0d
Opcode Fuzzy Hash: 2d045b3e439f4bd427d076ddcfee59b966384366498d4100023c6f14871af822
Instruction Fuzzy Hash: 1F219F35A00514AFDB14EFA4DC84A9ABBFAEF49311F148579F80AD7362CA30AC01CF95

Function 006212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
SelectObject.GDI32(?,00000000), ref: 0062135C
BeginPath.GDI32(?), ref: 00621373
SelectObject.GDI32(?,00000000), ref: 0062139C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ce65b723bed32cf7017c57e2658fc57e186526303c9c99f91947d2cfe5501bee
Instruction ID: 7239e933c2f858c415d7e813a079f86372aee02f73e813837c27c0406db8b8e2
Opcode Fuzzy Hash: ce65b723bed32cf7017c57e2658fc57e186526303c9c99f91947d2cfe5501bee
Instruction Fuzzy Hash: BF219230914B64EFDB10DF55EC847AA3BABFB12315F145225F8119E1B0D3B19891CF91

Function 00684A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00684ABA
__beginthreadex.LIBCMT ref: 00684AD8
MessageBoxW.USER32(?,?,?,?), ref: 00684AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00684B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00684B0A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: bcbd1510cd442f2925f11f12fa10459a2aa38536a9ec2355cb70e1c9539cc787
Instruction ID: 0346dc5b0f7df38151a4e58fa41c3c77279681e7c33286a720b96a0445d68135
Opcode Fuzzy Hash: bcbd1510cd442f2925f11f12fa10459a2aa38536a9ec2355cb70e1c9539cc787
Instruction Fuzzy Hash: 01114872904255BFCB00AFA89C44ADB7FAEEB45320F144369F914D3350DA71DD008BA1

Function 00678202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0067821E
GetLastError.KERNEL32(?,00677CE2,?,?,?), ref: 00678228
GetProcessHeap.KERNEL32(00000008,?,?,00677CE2,?,?,?), ref: 00678237
RtlAllocateHeap.NTDLL(00000000,?,00677CE2), ref: 0067823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00678255

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction ID: 28f711a27b05f99a7bc65ea952b723650ddb3de179a7a73116a0d1c6b7af6704
Opcode Fuzzy Hash: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction Fuzzy Hash: E3016D71340204BFDB205FA5DC4CDAB7BAEEF8A756B504469F819C3220DA319D00CEA1

Function 0067710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00677127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00677142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677150
CoTaskMemFree.COMBASE(00000000), ref: 00677160
CLSIDFromString.COMBASE(?,?), ref: 0067716C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction ID: d3ed7e1cd1b0fe4f5b921691bb1d356ab582e332171a708aee2bdf51f740258e
Opcode Fuzzy Hash: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction Fuzzy Hash: 25018F76601204BBDB119FA4DC44BAABBBEEF45791F188174FD08D2220EB75ED419BA0

Function 00685244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0068526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: bcacbdf615ef50c92a3f32da3130bde13f040073f24789ce2c777d28d1d3475e
Instruction ID: 3115346dbbd497484259080957d41df098f9b903628a078826cd6deee1da16fa
Opcode Fuzzy Hash: bcacbdf615ef50c92a3f32da3130bde13f040073f24789ce2c777d28d1d3475e
Instruction Fuzzy Hash: F4011B31D01A19DBCF00FFE4D8599EDBB7ABB09711F400655E942B2241CF30AA558BA6

Function 0067810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0067812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00678141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678157

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction ID: 1049f9aceda63d90008d36ea58aa723583401cf35c66755c9655755fec57eb08
Opcode Fuzzy Hash: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction Fuzzy Hash: FEF03C71340305AFEB111FA5EC8CEA73BAEEF4A655B404025F94987250DF61AD41DE61

Function 0067C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0067C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0067C20E
MessageBeep.USER32(00000000), ref: 0067C226
KillTimer.USER32(?,0000040A), ref: 0067C242
EndDialog.USER32(?,00000001), ref: 0067C25C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0a31858f4bade8da4385d8a2c5eda18ea2ac3f58b0378b1bb06135ee477eb542
Instruction ID: ce24bc1ef6a1f181eb702e8e122259d6e4b289dc46aed4aedf92e1d171c25a0c
Opcode Fuzzy Hash: 0a31858f4bade8da4385d8a2c5eda18ea2ac3f58b0378b1bb06135ee477eb542
Instruction Fuzzy Hash: E101A730404704ABEB206F90ED4EF96777ABB01706F00526DB596A14E1DBE07A448F51

Function 006213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006213BF
StrokeAndFillPath.GDI32(?,?,0065B888,00000000,?), ref: 006213DB
SelectObject.GDI32(?,00000000), ref: 006213EE
DeleteObject.GDI32 ref: 00621401
StrokePath.GDI32(?), ref: 0062141C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c835fbf3ed6a18b5e8cd03ecb28d3bf7f3cededb95049cf5caf20e348633c7e5
Instruction ID: 2182309962f9e797b251825a58ab19775bbd002e87afcfbd6ae7f02e378cf9d3
Opcode Fuzzy Hash: c835fbf3ed6a18b5e8cd03ecb28d3bf7f3cededb95049cf5caf20e348633c7e5
Instruction Fuzzy Hash: 61F04430024B58DBDB156F56EC8C7593FE7AB1232AF08A224F46A4C1F1C77059A5DF11

Function 00678992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0067899D
CloseHandle.KERNEL32(?), ref: 006789B2
CloseHandle.KERNEL32(?), ref: 006789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006789C3
HeapFree.KERNEL32(00000000), ref: 006789CA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction ID: ff11aa5dace3475f7f71ecd2301c3ce310222860071742df050faab2bb6fd243
Opcode Fuzzy Hash: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction Fuzzy Hash: 9AE05276104505FFDB012FE5EC0C95ABB6AFB8A762B509631F21981470CB32A861DF92

Function 0068C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0068C432
CoCreateInstance.COMBASE(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068C44A

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

CoUninitialize.COMBASE ref: 0068C6B7

Strings

.lnk, xrefs: 0068C3C6, 0068C3EE, 0068C3F8

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cb9c0ca367b82771587a47efe575ea9bde8a517b9b4870e5f51c52980609074f
Instruction ID: c7f58faf5b5d1aef0b0d2474e1199cff8c9671233a5dc67ba8e6c337c8509007
Opcode Fuzzy Hash: cb9c0ca367b82771587a47efe575ea9bde8a517b9b4870e5f51c52980609074f
Instruction Fuzzy Hash: 52A17B71104205AFD344EF54D881EABB7EAFF85354F004A2CF196871A2EB70EA49CF66

Function 00632CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 00627A51: _memmove.LIBCMT ref: 00627AAB

__swprintf.LIBCMT ref: 00632ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00632D66

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 6c190f4089182b076e222043cdda25c01a82a9e702b20bd2e41bb4fc5b350951
Instruction ID: e1d54794457ec5b8ebf77c732e90c5e5333e5702d96be1a70455fea073b1b871
Opcode Fuzzy Hash: 6c190f4089182b076e222043cdda25c01a82a9e702b20bd2e41bb4fc5b350951
Instruction Fuzzy Hash: 43918D71508712DFC754EF24E896CAFB7A6EF85710F00491DF4469B2A1DA30ED44CB96

Function 0068B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

CoInitialize.OLE32(00000000), ref: 0068B9BB
CoCreateInstance.COMBASE(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068B9D4
CoUninitialize.COMBASE ref: 0068B9F1

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Strings

.lnk, xrefs: 0068B99D, 0068B9AB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b92efffa2b4bae45223836893764a8a255be6a6fd6f65bea11756432d595b6ba
Instruction ID: 8012b1abf3af93002acfed5df4fb08d42e2aa9f46cd9da3b06020a8f2ec096e3
Opcode Fuzzy Hash: b92efffa2b4bae45223836893764a8a255be6a6fd6f65bea11756432d595b6ba
Instruction Fuzzy Hash: 1DA134756042119FCB14EF24C484DAABBE6FF89314F048A98F8999B3A1CB31EC45CF95

Function 0067B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0067B4BE

Strings

%k, xrefs: 0067B561
Container, xrefs: 0067B43B
AutoIt3GUI, xrefs: 0067B436

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%k
API String ID: 3565006973-671182982
Opcode ID: 28b298c1a54debd66b415f31be06bf39e04c90e2760a80412ff9d22f39d03248
Instruction ID: 91b73067303b749bf46e30074595dcf8d0516671e3735a10f17fd066f61b52a1
Opcode Fuzzy Hash: 28b298c1a54debd66b415f31be06bf39e04c90e2760a80412ff9d22f39d03248
Instruction Fuzzy Hash: 2E912770600601AFDB54DF64C884BAABBE6FF49710F24956EF94ACB391EB70E841CB50

Function 0064501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006450AD

Part of subcall function 006500F0: __87except.LIBCMT ref: 0065012B

Strings

pow, xrefs: 00645085, 006450A2

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: af35742741766342d7d8122a32e0826b821d263576cf4ebc98d3ffef1ceef4d0
Instruction ID: b8d7f6e709ce0a9dc94144123ae07e389192d0d4cd78d31cdcd1bb27cb3e4be8
Opcode Fuzzy Hash: af35742741766342d7d8122a32e0826b821d263576cf4ebc98d3ffef1ceef4d0
Instruction Fuzzy Hash: 86515D75908A0297EB217B54C9053BE2F979B40B01F208D5DE8D6863DBDF34CDDC9A8A

Function 00668584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0066862B
_memmove.LIBCMT ref: 00668685

Strings

_c, xrefs: 006686FF, 0066DFDC, 0066DFF8
3cc, xrefs: 0066860C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memmove
String ID: 3cc$_c
API String ID: 4104443479-1111051329
Opcode ID: 8689979f688c1ab7e55c1c92174f0b5a830def68ff64e7efe7dc8a04b63bada3
Instruction ID: 8b7d8a7832e223deb37fd52d4002774bc2946dc050dab0252a858b1a8c287ebf
Opcode Fuzzy Hash: 8689979f688c1ab7e55c1c92174f0b5a830def68ff64e7efe7dc8a04b63bada3
Instruction Fuzzy Hash: 2F510C70A006199FCF64CF68D884AEEBBF2FF45304F148529E85AD7350EB31A965CB91

Function 006797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00679296,?,?,00000034,00000800,?,00000034), ref: 006814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0067983F

Part of subcall function 00681487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006814B1

Part of subcall function 006813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00681409
Part of subcall function 006813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0067925A,00000034,?,?,00001004,00000000,00000000), ref: 00681419
Part of subcall function 006813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0067925A,00000034,?,?,00001004,00000000,00000000), ref: 0068142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006798F9

Strings

@, xrefs: 00679911

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9debe2b5ebc02f3fc8b13d94da278a20c7c273bfedf818607d17c53d40f65470
Instruction ID: 74d538b789b533fb9ac2ea13be93a61c661b58a4ba89e2466f404a97af07d54e
Opcode Fuzzy Hash: 9debe2b5ebc02f3fc8b13d94da278a20c7c273bfedf818607d17c53d40f65470
Instruction Fuzzy Hash: 0341427690021CBFDB10EFA4CC41EDEBBB9EB0A300F144159FA59B7251DA716E45CBA1

Function 006A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006AF910,00000000,?,?,?,?), ref: 006A79DF
GetWindowLongW.USER32 ref: 006A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A7A0C

Strings

SysTreeView32, xrefs: 006A79B1

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8cd5c52e8d9dfd5365869d33fa19a80d0e5fe0040150fdee57f79304db18fa5d
Instruction ID: b10cca1d2d710061794089b1f6cbd3d8ae05f48b4cf7a47d820729477f319cd5
Opcode Fuzzy Hash: 8cd5c52e8d9dfd5365869d33fa19a80d0e5fe0040150fdee57f79304db18fa5d
Instruction Fuzzy Hash: AE31AE31204606AFDB51AF78DC41BEB77AAEB0A324F208725F975922E0D731ED519F60

Function 006A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A7499

Strings

SysMonthCal32, xrefs: 006A742C

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 51f87788b3c3d8f18ce3d4d3b7b595b12421ebadfb6ab1582f9c718796d1c31c
Instruction ID: 39799aa1993a080f8f2941810a67f789fd79860a452ff0c6bd82d249e2ed2324
Opcode Fuzzy Hash: 51f87788b3c3d8f18ce3d4d3b7b595b12421ebadfb6ab1582f9c718796d1c31c
Instruction Fuzzy Hash: A4219F32500218ABDF119FA4CC46FEA3BAAEF4D724F110214FE156B191DAB5AC519FA0

Function 006A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006A6D70

Strings

Listbox, xrefs: 006A6D08

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7d1a8673d30ffb19c72868e481a02297c40b84eb9bb9bb22687ae96e88b39089
Instruction ID: 1ebe38020692025563dd77d3fd4a93dfd239c47ed63d40c288d81a6a1669d17d
Opcode Fuzzy Hash: 7d1a8673d30ffb19c72868e481a02297c40b84eb9bb9bb22687ae96e88b39089
Instruction Fuzzy Hash: FA218332610118BFDF11AF54DC45EEB37ABEF8A760F058128FA455B290C671AC518BA0

Function 006939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00693A66

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Strings

%k, xrefs: 006939F4
AUTOITCALLVARIABLE%d, xrefs: 00693A58
, $, xrefs: 00693AA6

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%k
API String ID: 3506404897-183977080
Opcode ID: 0eb6640033c1bc6e418e6883088b9ca51dd4af1eef2beec65d816da93f2b06b1
Instruction ID: 648e05edac7fb7c855b711f41fca758933cd9c10c53540ef7ee203b2ce78b79b
Opcode Fuzzy Hash: 0eb6640033c1bc6e418e6883088b9ca51dd4af1eef2beec65d816da93f2b06b1
Instruction Fuzzy Hash: 75216F31B00629AFCF50EF64DC86EAE77BBAF44700F504459F855A7281DB30EA45CB69

Function 006A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006A7794

Strings

msctls_trackbar32, xrefs: 006A7749

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2eac809a4bb4e9711ec457c540ba9ade390ba623a6cff79bffa2290061df9a2a
Instruction ID: e1a2a421de62b1ed98a20cbb2e2d54dd83e45f7534526b0de38fca24311816ab
Opcode Fuzzy Hash: 2eac809a4bb4e9711ec457c540ba9ade390ba623a6cff79bffa2290061df9a2a
Instruction Fuzzy Hash: C8112732204208BAEF106F60CC01FD7376AEF8AB54F010118F64196190C271E811CF20

Function 00624B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624AD0), ref: 00624B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00624B57

Strings

kernel32.dll, xrefs: 00624B40
GetNativeSystemInfo, xrefs: 00624B51

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction ID: 047b6d1b590b73b647635d3e50bb0fc6ea27317dc929e13a1a0a9394e0245299
Opcode Fuzzy Hash: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction Fuzzy Hash: EBD01234A10723CFD720AFB1E858B4676E6AF06351B118839D486D6250DA70EC80CE65

Function 00624C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624B83,?), ref: 00624C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00624C50
kernel32.dll, xrefs: 00624C3F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: fbd1a57fa81e45ea50eab36ba99d0203b6f72f6e1daead63f9cfadd56868c2f5
Instruction ID: b67f423497baa22614ab6341aa11c53319ea4d6ac756e9c71429a4c6a8d62fe0
Opcode Fuzzy Hash: fbd1a57fa81e45ea50eab36ba99d0203b6f72f6e1daead63f9cfadd56868c2f5
Instruction Fuzzy Hash: 63D01230610B23CFD7206F75E94864676E6AF06351B11883AD496D6660EA70D880CE61

Function 00624C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624BD0,?,00624DEF,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624C23

Strings

kernel32.dll, xrefs: 00624C0C
Wow64DisableWow64FsRedirection, xrefs: 00624C1D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c578d1042b4b531d5317f2085edc9d2f4a84117ffd69e764d4a63e9f47f3c86a
Instruction ID: 20afe82517c89e8a5c539c8ec0e7f75461a86213d4150b17c9d65287c5b469e2
Opcode Fuzzy Hash: c578d1042b4b531d5317f2085edc9d2f4a84117ffd69e764d4a63e9f47f3c86a
Instruction Fuzzy Hash: D9D01230611B23CFD720BFB5ED48646B6E7EF0A352B119C3AD486D6650EEB0D880CE61

Function 006A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006A1039), ref: 006A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006A0E07

Strings

RegDeleteKeyExW, xrefs: 006A0E01
advapi32.dll, xrefs: 006A0DF0

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 792533915ee5311a309a71c713454e366eff0c75d678997ff467a545a6c5fecf
Instruction ID: 98383bbe290750b49767fd91d811d0eb7d8baf20ca03239dd4ac6f1a9b357e75
Opcode Fuzzy Hash: 792533915ee5311a309a71c713454e366eff0c75d678997ff467a545a6c5fecf
Instruction Fuzzy Hash: F7D01770950722CFE720AFB5D84868676E7AF16352F129C7ED486D2250EAB0EC90CE61

Function 006990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00698CF4,?,006AF910), ref: 006990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00699100

Strings

GetModuleHandleExW, xrefs: 006990FA
kernel32.dll, xrefs: 006990E9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 12bc7cfc3f9c9e6f3cfe1b3270adc6284f06067bed3032f5d95adfd3fb5c11bc
Instruction ID: e7cf0267b57393a2e8caf69cd5f05e377841f7430e2ec7d649ae49b24d14a3d1
Opcode Fuzzy Hash: 12bc7cfc3f9c9e6f3cfe1b3270adc6284f06067bed3032f5d95adfd3fb5c11bc
Instruction Fuzzy Hash: 54D01234510713CFDB20AF75D85C54676EAAF06352B168C3ED485D6650EA70D880CA61

Function 00661714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00661718
__swprintf.LIBCMT ref: 00661749

Strings

WIN_XPe, xrefs: 00661788
%.3d, xrefs: 00661723

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a04314f896a0901e37b651dd030a3844e35b3760217a8f6cc79364d67d74caec
Instruction ID: 373b35b92f49a2121a7d2741e1535d88c3eaf735591cdaae98a77c726f2dcecf
Opcode Fuzzy Hash: a04314f896a0901e37b651dd030a3844e35b3760217a8f6cc79364d67d74caec
Instruction Fuzzy Hash: 51D01771804129FACB409B909C888F97B7EAB0A311F180463B406E6140E226AB96EA21

Function 0067717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction ID: 682c01a82262511dd64945d19422f15ec3213eb67a3c3935bef16d35ce9c4106
Opcode Fuzzy Hash: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction Fuzzy Hash: 7EC12C75A04216EFCB14CFA4C884AAEBBF6FF48714B158598E819EB351D730ED81DB90

Function 0069E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0069E0BE
CharLowerBuffW.USER32(?,?), ref: 0069E101

Part of subcall function 0069D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0069E301
_memmove.LIBCMT ref: 0069E314

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 0095d4f7852bd2d08c92f4230f8c1a340bc018a9dbbc271e116fc270ec337239
Instruction ID: 5083c16d9e08e94d2ca1226e4f16072f46472dfde4a43dc015a6cd44c2e45615
Opcode Fuzzy Hash: 0095d4f7852bd2d08c92f4230f8c1a340bc018a9dbbc271e116fc270ec337239
Instruction Fuzzy Hash: E5C15871A043119FCB44DF28C48096ABBEAFF89714F04896EF8999B351D731E946CF82

Function 00698093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006980C3
CoUninitialize.COMBASE ref: 006980CE

Part of subcall function 0067D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0067D5D4

VariantInit.OLEAUT32(?), ref: 006980D9
VariantClear.OLEAUT32(?), ref: 006983AA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 977f3e1e9a72dcb9f1703221d7a1356d3cafead8ab33a1941d8b6b7f51ad9c22
Instruction ID: 3441e16735bd7872aa553dd2ae86c51a5d0bc3e73b184289c3160487d464f9f7
Opcode Fuzzy Hash: 977f3e1e9a72dcb9f1703221d7a1356d3cafead8ab33a1941d8b6b7f51ad9c22
Instruction Fuzzy Hash: 9DA16A35604B119FCB40DF64C481A6AB7EABF8A714F08481CF9959B7A1CB34ED05CF9A

Function 00677530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 006776EA
CoTaskMemFree.COMBASE(00000000), ref: 00677702
CLSIDFromProgID.COMBASE(?,?), ref: 00677727
_memcmp.LIBCMT ref: 00677748

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9792efb3f5d6aed68e6b2b6b9e9531a1ba38ef3b2225f5d5d1f82eb32cee9640
Instruction ID: 77b6f678a41412e5069f7387241c12f1e9d1f2ca74b11b83b190f8e9295d3815
Opcode Fuzzy Hash: 9792efb3f5d6aed68e6b2b6b9e9531a1ba38ef3b2225f5d5d1f82eb32cee9640
Instruction Fuzzy Hash: 7C81FD75A00119EFCB04DFA4C984DEEB7BAFF89315F208558E505AB250DB71AE46CB60

Function 0067687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067688E
SysAllocString.OLEAUT32(00000000), ref: 00676937
VariantCopy.OLEAUT32 ref: 00676966
VariantClear.OLEAUT32(?), ref: 0067698D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 4d973d36096201f1e9afe9578a287feeb68b8a23f9b9d9db5b2033f97befd8ca
Instruction ID: f70d21c358cc7c84c69a31c485ae9a40119c0a334c430e46e5beaea0e89c0b6d
Opcode Fuzzy Hash: 4d973d36096201f1e9afe9578a287feeb68b8a23f9b9d9db5b2033f97befd8ca
Instruction Fuzzy Hash: 4351D374700B029EDF64AF65D891A6AB3E7AF45310F20D81FF59EDB292DA30D8818B15

Function 006A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0151DDD0,?), ref: 006A9863
ScreenToClient.USER32(00000002,00000002), ref: 006A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006A9903

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0934f0658f8312e95f80afb58c93ba1b8939e49e777cef82ca7248360c566227
Instruction ID: 03cce2c308208f1af3de857590a48ff7235d557131f5df561f3dd9554aa9bb9e
Opcode Fuzzy Hash: 0934f0658f8312e95f80afb58c93ba1b8939e49e777cef82ca7248360c566227
Instruction Fuzzy Hash: 80512C34A00209AFCB14EF54D884AEE7BB6FF56360F248559F9559B3A0D731AD41CFA0

Function 00679A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00679AD2
__itow.LIBCMT ref: 00679B03

Part of subcall function 00679D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00679DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00679B6C
__itow.LIBCMT ref: 00679BC3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 577692fb85cd5364456bf64055fbe7186b302f9a7c9a4feae4e7ba049358f4f6
Instruction ID: 0682836443c0eafac43c0ed5168dfcf7eb60b1b1c0454cbf09c63e1550f86b33
Opcode Fuzzy Hash: 577692fb85cd5364456bf64055fbe7186b302f9a7c9a4feae4e7ba049358f4f6
Instruction Fuzzy Hash: 6A41B170A00619ABDF21EF64D846FEE7BFBEF45710F004069F909A7291DB709A44CBA5

Function 0068B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0068B89E
GetLastError.KERNEL32(?,00000000), ref: 0068B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0068B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0068B915

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ad2183a43cac411d323184fdacb4debbe848053749496a1cc851ecbff883bba1
Instruction ID: 4e765dc531a71be35377c1cc5480c6e2a7f90fdda74ee22ccd0f46addeb7421b
Opcode Fuzzy Hash: ad2183a43cac411d323184fdacb4debbe848053749496a1cc851ecbff883bba1
Instruction Fuzzy Hash: 4D412D35600910DFCB50EF65D444A99BBE2EF8A310F098498EC4A9B362CB34FD01CFA9

Function 006A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A88DE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3861b3335f9c0c4497fbe083c27681db2f8fd110738496e00aeb5478c3e8966b
Instruction ID: 68a218f371960edf6bafb84044097db87e64f26e64cc21125970b338b84ca1e5
Opcode Fuzzy Hash: 3861b3335f9c0c4497fbe083c27681db2f8fd110738496e00aeb5478c3e8966b
Instruction Fuzzy Hash: 7D319034600208AEEB24BB58CC85BFA77B7EB07310F544116FA55E72A1CE74ED409F96

Function 006AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006AAB60
GetWindowRect.USER32(?,?), ref: 006AABD6
PtInRect.USER32(?,?,006AC014), ref: 006AABE6
MessageBeep.USER32(00000000), ref: 006AAC57

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d12d4d935887e0be3a3ac2b96737500323b3e1fb63334417608f9ef4abba60da
Instruction ID: 06c5b9f578a884a86ec1d661e11d589cf88c296ee9097b4e421cfa4b5c543d13
Opcode Fuzzy Hash: d12d4d935887e0be3a3ac2b96737500323b3e1fb63334417608f9ef4abba60da
Instruction Fuzzy Hash: 6B415F34600219DFDB11EF98D884AA97BF7FB4A320F1490AAE4169F361D730AC45CF92

Function 00680AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00680B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00680B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00680BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00680BFB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction ID: 53d63238492da3ac7946ceca809c56bcdb9f0ef89459315bf9a7c78515f41d5f
Opcode Fuzzy Hash: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction Fuzzy Hash: B7318C70D40208AFFF70AF65CC05BFABBABAF55314F044B5AF480522D1C37699499756

Function 00680C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00680C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00680C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00680CE1
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00680D33

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction ID: a0caa6c22361352f9e0b63239f835f4a2ec1a2dce2bbc16acc08983b5faebd58
Opcode Fuzzy Hash: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction Fuzzy Hash: 00316930940208AEFFB0AFA5CC15BFEBB67AF4A310F048B1EE484522D1C3399D498752

Function 006561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006561FB
__isleadbyte_l.LIBCMT ref: 00656229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00656257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0065628D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6edc964e466c910d8d1b9044cf05153d535ee5a26264b3c5a9b3f026a8c5b04a
Instruction ID: e45c2b4f52099493b59865676415e3510a50ea55e614ea90297448862b5d53b5
Opcode Fuzzy Hash: 6edc964e466c910d8d1b9044cf05153d535ee5a26264b3c5a9b3f026a8c5b04a
Instruction Fuzzy Hash: 7931CE30604246AFDF218F65CC44BBA7BAAFF42312F554128FC64872A1DB31EE54DB90

Function 006A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006A4F02

Part of subcall function 00683641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068365B
Part of subcall function 00683641: GetCurrentThreadId.KERNEL32 ref: 00683662
Part of subcall function 00683641: AttachThreadInput.USER32(00000000,?,00685005), ref: 00683669

GetCaretPos.USER32(?), ref: 006A4F13
ClientToScreen.USER32(00000000,?), ref: 006A4F4E
GetForegroundWindow.USER32 ref: 006A4F54

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: da2f0a1dd55d94eafd5f7fd0a8ae152f365a47b4a557e7abde0318a1498ad2f4
Instruction ID: ed48f9ff0b2b8df4b5871c265bbcc13d40d1cdbdcf005ba84757f01c3df2bccf
Opcode Fuzzy Hash: da2f0a1dd55d94eafd5f7fd0a8ae152f365a47b4a557e7abde0318a1498ad2f4
Instruction Fuzzy Hash: 68314D71D00118AFCB40EFA5DC819EFB7FAEF89300F10446AE415E7241EA75AE058FA5

Function 00678656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0067810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678121
Part of subcall function 0067810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0067812B
Part of subcall function 0067810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067813A
Part of subcall function 0067810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00678141
Part of subcall function 0067810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006786A3
_memcmp.LIBCMT ref: 006786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006786FC
HeapFree.KERNEL32(00000000), ref: 00678703

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: f89efd2e262125ba58783d1a00be4b49e5f661e33226cb3530f0638af3012a4a
Instruction ID: 50b620f2522e5dfaf5256ceb19e0cfdc3fbd55548ef2622067217efa67aa4d02
Opcode Fuzzy Hash: f89efd2e262125ba58783d1a00be4b49e5f661e33226cb3530f0638af3012a4a
Instruction Fuzzy Hash: C7217A71E80109EFDB10DFA4C949BEEB7BAEF55304F158099E448AB240DB31AE05CFA0

Function 0064098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006409AE

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

_fprintf.LIBCMT ref: 006409E5
OutputDebugStringW.KERNEL32(?), ref: 00675DBB

Part of subcall function 00644AAA: _flsall.LIBCMT ref: 00644AC3

__setmode.LIBCMT ref: 00640A1A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f77a18d38c2b9e6471d119e7643f2405d2bf06b59b09d0b9c72851ec4c28e3b1
Instruction ID: 8962f45e93e11870e659f1f58ef78b3600d2fe989fa464ef7e5b206ddec72adf
Opcode Fuzzy Hash: f77a18d38c2b9e6471d119e7643f2405d2bf06b59b09d0b9c72851ec4c28e3b1
Instruction Fuzzy Hash: 6E1127319046146FDB44B7B4AC87AFE7B6B9F42320F64415DF20557282EE70598247AD

Function 00691767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006917A3

Part of subcall function 0069182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069184C
Part of subcall function 0069182D: InternetCloseHandle.WININET(00000000), ref: 006918E9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction ID: 8f2fa58772ff193cea65bd548ee75c02c6f7e332e33fcdd58d204f2c1e3804ee
Opcode Fuzzy Hash: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction Fuzzy Hash: CF218331200606BFDF125FA0DC41BBAB7EFFB4A710F204429F9119AA50D771D811ABA5

Function 00683A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006AFAC0), ref: 00683A64
GetLastError.KERNEL32 ref: 00683A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00683A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006AFAC0), ref: 00683ADF

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 6b35daeb61b36aa2b26b56917f65f9b637e178480c9a35c0888fa0f6ec085046
Instruction ID: f4d2be889d877a3499321352a44255d5e0aef7d155aaa71d013ba37d233dc696
Opcode Fuzzy Hash: 6b35daeb61b36aa2b26b56917f65f9b637e178480c9a35c0888fa0f6ec085046
Instruction Fuzzy Hash: 7721B1745082118F8314FF68D8818AA77E6AF16764F104A2DF499C73A1D7319E46CF82

Function 006550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00655101

Part of subcall function 0064571C: __FF_MSGBANNER.LIBCMT ref: 00645733
Part of subcall function 0064571C: __NMSG_WRITE.LIBCMT ref: 0064573A
Part of subcall function 0064571C: RtlAllocateHeap.NTDLL(01500000,00000000,00000001), ref: 0064575F

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 63e78b1bf21ede77dc6bcc770e5314ac1910b947ff7cb605f5e009d22536aaca
Instruction ID: 0dda64bc94044ac03fe9561dbb55e9eaa08e9029b385832ba7ed3c07b8b748d3
Opcode Fuzzy Hash: 63e78b1bf21ede77dc6bcc770e5314ac1910b947ff7cb605f5e009d22536aaca
Instruction Fuzzy Hash: 2511BF72900E11AFCF313FB0A86D79D3B9B9B013A2F10052EFD469A251DE3489459A98

Function 006244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006244CF

Part of subcall function 0062407C: _memset.LIBCMT ref: 006240FC
Part of subcall function 0062407C: _wcscpy.LIBCMT ref: 00624150
Part of subcall function 0062407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00624160

KillTimer.USER32(?,00000001,?,?), ref: 00624524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00624533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0065D4B9

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 098925b072779167b87f18c867cea1b63e5f3316034560c6b9d4af5597091e5e
Instruction ID: 0c02a31c60d1a05484944b3e748c8f2a8056c8ab1aaeac2e81ce55bb60ecbcf9
Opcode Fuzzy Hash: 098925b072779167b87f18c867cea1b63e5f3316034560c6b9d4af5597091e5e
Instruction Fuzzy Hash: C9210770904794AFE732DB249855BE6BBEE9F05309F04009DE7CE5A282C7746A89CB52

Function 00696369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

gethostbyname.WS2_32(?), ref: 00696399
WSAGetLastError.WS2_32(00000000), ref: 006963A4
_memmove.LIBCMT ref: 006963D1
inet_ntoa.WS2_32(?), ref: 006963DC

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 866da89dcfb1be5b70d2fdf2edd987e8422727b7bc42a3c22c32108668e7a122
Instruction ID: c446d560d129af2cb4a7128e7aa4775f5702fe8cca614dc8bdba539a4f7af252
Opcode Fuzzy Hash: 866da89dcfb1be5b70d2fdf2edd987e8422727b7bc42a3c22c32108668e7a122
Instruction Fuzzy Hash: 49116032900519AFCF40FFA4ED46CEEB7BAAF55310B144069F506A7261DB30AE14DF65

Function 006785B0 Relevance: 6.1, APIs: 4, Instructions: 61processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006785E2
OpenProcessToken.ADVAPI32(00000000), ref: 006785E9
CloseHandle.KERNEL32(00000004), ref: 00678603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678632

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: ad13f4b5564dd95544b3607cbee1004d8cc8be6de87fbb14238492b6f5574a7c
Instruction ID: 34f02ae6338b8e86e4841a6bcdb96ec06a2ee01ceb7105e4f09f8ff8945f3f7d
Opcode Fuzzy Hash: ad13f4b5564dd95544b3607cbee1004d8cc8be6de87fbb14238492b6f5574a7c
Instruction Fuzzy Hash: 44117972500109BFDF019FE4EC48AEE7BAAEF09304F044168FE08A2160C7729E20EB21

Function 00678B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00678B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678BA4

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction ID: baa69d049a976ecc9b3e8033d7ee299c9efefa8a9d9a15aaee5da3cd6410f86e
Opcode Fuzzy Hash: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction Fuzzy Hash: A3115A79940218FFEB10DFA5CC84FADBBB9FB48710F2040A5EA04B7290DA716E11DB94

Function 0067D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0067D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0067D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0067D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0067D897

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 63048bbe5636159b62130655efa8ffec98ec48f40586688bbabb4d9c74bc1652
Instruction ID: 332c1e124d0a7533c0004f2b3261882a6666b8aa6be7aaf79b4b2e60c1b9a01e
Opcode Fuzzy Hash: 63048bbe5636159b62130655efa8ffec98ec48f40586688bbabb4d9c74bc1652
Instruction Fuzzy Hash: A9116175605304DBE3209F90DC08F93BBFDEF04B00F108A69E55AD6591D7B0E9499FA2

Function 00656FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00656FDB

Part of subcall function 006576C2: __fltout2.LIBCMT ref: 006576EB

__cftog_l.LIBCMT ref: 00657001
__cftoe_l.LIBCMT ref: 00657033

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a6c3eda0256bf3146134be21775d41fe872b6c88d081678ecb2ea756317449fd
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0F014CB244814ABBCF165F84EC01CEE3FA7BB18356F588415FE1859171D236C9BAAB81

Function 006AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006AB2E4
ScreenToClient.USER32(?,?), ref: 006AB2FC
ScreenToClient.USER32(?,?), ref: 006AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB33B

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction ID: 845ddb95cd4460d8378406476ea3ca15f891c76e7c09beb16ddcf5a970fd4315
Opcode Fuzzy Hash: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction Fuzzy Hash: C31174B9D00209EFDB01DFA9C8849EEBBF9FF09310F109166E914E3220D731AA518F91

Function 006AB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AB644
_memset.LIBCMT ref: 006AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E6F20,006E6F64), ref: 006AB682
CloseHandle.KERNEL32 ref: 006AB694

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: ae7a0aa3b6285606dc78c93c109b765990da514d75442d025db3de4213f1092a
Instruction ID: 837f2ee9467244b0c51adc4bdae626ddead7332086a097b823e611c7ba7a4510
Opcode Fuzzy Hash: ae7a0aa3b6285606dc78c93c109b765990da514d75442d025db3de4213f1092a
Instruction Fuzzy Hash: E1F05EB25403807AE7102B61FC46FBB7A9FEB193D5F006020FA08EA192D7715C008BA9

Function 00686BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00686BE6

Part of subcall function 006876C4: _memset.LIBCMT ref: 006876F9

_memmove.LIBCMT ref: 00686C09
_memset.LIBCMT ref: 00686C16
RtlLeaveCriticalSection.NTDLL(?), ref: 00686C26

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c819c113b42cc70edcaaf19db8b082975d87e00dd572edd5d46c59c3430b20a0
Instruction ID: c01fe36a872810f27267b955c66fd42ebeabfa13122e75b09011b2c7dbba6cc6
Opcode Fuzzy Hash: c819c113b42cc70edcaaf19db8b082975d87e00dd572edd5d46c59c3430b20a0
Instruction Fuzzy Hash: F7F05E3A200100BBCF817F95DC85A8ABB2AEF46321F148065FE085F227D731E911CBB9

Function 00622218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00622231
SetTextColor.GDI32(?,000000FF), ref: 0062223B
SetBkMode.GDI32(?,00000001), ref: 00622250
GetStockObject.GDI32(00000005), ref: 00622258
GetWindowDC.USER32(?,00000000), ref: 0065BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0065BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0065BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0065BEC2
GetPixel.GDI32(00000000,?,?), ref: 0065BEE2
ReleaseDC.USER32(?,00000000), ref: 0065BEED

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 57d56ccf8b635fc475592319963df03fe56a9380ee7118cdcd08b482916526f7
Instruction ID: 5b747245a88cdf5a0e9c4acc820eda86446a809ec15218d845a516aab4629b21
Opcode Fuzzy Hash: 57d56ccf8b635fc475592319963df03fe56a9380ee7118cdcd08b482916526f7
Instruction Fuzzy Hash: 1DE03932504244EADB216FA4FC0D7D83B12EB16332F1493A6FA69480E187724984DF22

Function 00678712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0067871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006782E6), ref: 00678722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006782E6), ref: 0067872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006782E6), ref: 00678736

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction ID: b9d9abffb9cc80d01388495062ed2094af2626be0993820b09fdb1e80502760b
Opcode Fuzzy Hash: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction Fuzzy Hash: C0E086366512119FD7606FF05D0CF9B7BAEEF52791F148828B24ACA040DA349841CF51

Function 00626240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%k, xrefs: 0062624E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID:
String ID: %k
API String ID: 0-3601005739
Opcode ID: a4e3372d93f6cd9ad702260c8b3581d30ac0fe68aab0608bf2e45fdc4f9c8936
Instruction ID: 48c99a68fb9b9f44d2e198e3d1c38fd6894c4ec3f31ac0fdc2751b5f67c5ecb8
Opcode Fuzzy Hash: a4e3372d93f6cd9ad702260c8b3581d30ac0fe68aab0608bf2e45fdc4f9c8936
Instruction Fuzzy Hash: 4FB1A371800929DACF24EF94E8819FDB7B7EF44310F10812AF942A7291DB309E86CF95

Function 0068AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

__wcsnicmp.LIBCMT ref: 0068B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0068B0F6

Strings

LPT, xrefs: 0068B027

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7305201869c9a7ff69f898e9a66bed2b12d2b4ccbd42ff61d620f5470d98987a
Instruction ID: f6388e122f2b589770988acb413aa98ccf1d34edbcba81f855536be0744f5309
Opcode Fuzzy Hash: 7305201869c9a7ff69f898e9a66bed2b12d2b4ccbd42ff61d620f5470d98987a
Instruction Fuzzy Hash: F361B171A00218AFCB14EF94C895EEEB7B6EF09310F004169F956AB391D770AE40CB94

Function 00632957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00632968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00632981

Strings

@, xrefs: 00632975

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d84a9ea19e5ef4c967144a8fc9fbcb83e61458c393a0d826e779081074577a55
Instruction ID: dde2ff8374fb69fc416a5317158e5a2704bf1fec27c4ce8c194d0d15dd49661b
Opcode Fuzzy Hash: d84a9ea19e5ef4c967144a8fc9fbcb83e61458c393a0d826e779081074577a55
Instruction Fuzzy Hash: 47513771419B549BD360EF10EC86BABBBE9FF85354F42885DF2D8410A1DF308529CB6A

Function 00689734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00624F0B: __fread_nolock.LIBCMT ref: 00624F29

_wcscmp.LIBCMT ref: 00689824
_wcscmp.LIBCMT ref: 00689837

Strings

FILE, xrefs: 00689770

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 61c3b449ec9e9e2eafcc0f802ecf3c7b9ce5c249142ba87d7ce1f7277327d292
Instruction ID: 960a7df8d0c9d0c2a80d7e65c854aa4396cefedac4d35b9794db07fe4f1103ef
Opcode Fuzzy Hash: 61c3b449ec9e9e2eafcc0f802ecf3c7b9ce5c249142ba87d7ce1f7277327d292
Instruction Fuzzy Hash: 9641C671A0021ABADF20AEA0DC45FEFBBBEDF85710F010569F904B7281DA719A058B65

Function 0069258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006925D4

Strings

|, xrefs: 006925A5

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 3848166f131fb00e841a1097599100b69284f6c29997c2aee890e55a201e4dbf
Instruction ID: 842227290ab8c815a59f750e515dc45ea471a98bc2caf796e645ddf8e3c55e3d
Opcode Fuzzy Hash: 3848166f131fb00e841a1097599100b69284f6c29997c2aee890e55a201e4dbf
Instruction Fuzzy Hash: A631087180011AABCF51EFA1DC95EEEBFBAFF08310F100059F915A6262EB315956DF64

Function 006A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 006A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A7B76

Strings

', xrefs: 006A7ACA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 79f05d84e6926159c52512b144c503c8d8fffd1357e3afa6cf996b561ba1f8a6
Instruction ID: 11403f5d190c1671daf87278c93a9ee66ade9b5845ee7f71038157f486f6b933
Opcode Fuzzy Hash: 79f05d84e6926159c52512b144c503c8d8fffd1357e3afa6cf996b561ba1f8a6
Instruction Fuzzy Hash: 4D410774A0530AAFDB14DF64C981BEABBB6FB09300F10016AEA05AB351D771AD51CFA0

Function 006A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006A6B53

Strings

static, xrefs: 006A6AB3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 826fa40ada8514dea1e24eba98cf1c9359b2e3756e5dbeddd315c35fb29680bb
Instruction ID: 958a1413d8c28a273edbb630f7493d1806a6101514c372ebfdc7144b5e416058
Opcode Fuzzy Hash: 826fa40ada8514dea1e24eba98cf1c9359b2e3756e5dbeddd315c35fb29680bb
Instruction Fuzzy Hash: 39319071100604AEDB10AF64DC80BFB73AAFF49760F14961DF9A5D7190DA31AC91CB74

Function 006828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0068294C

Strings

0, xrefs: 0068290A

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6b0002d6dc33c7e5c29b064151371cd59a7c0d5587ce516c8d56835dd839acf4
Instruction ID: 8bf09254cb6e08762f3f9cfc660b6718a86d58f1b83ea4740da5c281c79fec13
Opcode Fuzzy Hash: 6b0002d6dc33c7e5c29b064151371cd59a7c0d5587ce516c8d56835dd839acf4
Instruction Fuzzy Hash: 7431D531A00307AFEF24EF5AC995BEEBBF6EF45350F140229E985A62A0D7709944CB51

Function 006A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A676C

Strings

Combobox, xrefs: 006A672E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 038ca9327621da2009b5890a058716f6c5068481ff86d61d265ca46acb2567ca
Instruction ID: f9fc4f96ca8793f3bcdcd513b5112de77a237672c0671829458be8d06e64948f
Opcode Fuzzy Hash: 038ca9327621da2009b5890a058716f6c5068481ff86d61d265ca46acb2567ca
Instruction Fuzzy Hash: 6111B275210208AFEF11AF64CC80EFB376BEB4A368F150129F9149B3A0D671DC918BA0

Function 006A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

GetWindowRect.USER32(00000000,?), ref: 006A6C71
GetSysColor.USER32(00000012), ref: 006A6C8B

Strings

static, xrefs: 006A6C4E

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: caa1638e0bb22a90687f5930b64b327c03766adfebee613a402feb9d1b187d72
Instruction ID: 7c22c17c1cf15139396458bed4d3b5eaec791c5f7d12118f0bd36e06b0ad6f1a
Opcode Fuzzy Hash: caa1638e0bb22a90687f5930b64b327c03766adfebee613a402feb9d1b187d72
Instruction Fuzzy Hash: AC215972510219AFDF04EFB8CC45AFA7BAAFB09314F045628F996D2250D635E851DF60

Function 006A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006A69B1

Strings

edit, xrefs: 006A6986

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7f5227244ec2626a58b5a5d5fd9c27f5332308b60516fe3e285f9c5653b7458d
Instruction ID: c6821b60f26cf45f58855058c1b7fedd0cf22557d580b5bdf6e46da95f87c0a7
Opcode Fuzzy Hash: 7f5227244ec2626a58b5a5d5fd9c27f5332308b60516fe3e285f9c5653b7458d
Instruction Fuzzy Hash: BE116D71500205ABEB10AF64DC44AEB376BEB16374F544728F9A5962E0C771EC519F60

Function 006829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00682A41

Strings

0, xrefs: 00682A18

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f92f8fa45e51d338b3863f2206df91a6f3b0b0019fe2e8cb582feff3344dcde
Instruction ID: de77e7888ccb46a6fad09d0570386a4fa2569f99fa0f0eb84d70b7d2872eca67
Opcode Fuzzy Hash: 5f92f8fa45e51d338b3863f2206df91a6f3b0b0019fe2e8cb582feff3344dcde
Instruction Fuzzy Hash: 6E11D036901216ABCF38FB98D994BEA77ABAF45304F144225E855EB390D730AD0AC791

Function 006921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0069222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00692255

Strings

<local>, xrefs: 0069221D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 35db7753824c1cf1b11e9795588d957ea1593f3ff6fbc738c26dc67a7ffa3174
Instruction ID: 5687a97a25d14d774997a3d928c3f4105ba589b0a45c7f835b54e99180a261bb
Opcode Fuzzy Hash: 35db7753824c1cf1b11e9795588d957ea1593f3ff6fbc738c26dc67a7ffa3174
Instruction Fuzzy Hash: 0E110670541226BADF289F518CA4EF7FBAEFF06751F10822AF50486900D3706A91D6F0

Function 00678E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00678E73

Strings

ComboBox, xrefs: 00678E12
ListBox, xrefs: 00678E3D

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9221bd0dc371bf2a74559d8fa1bae6896458e177d6f56d5d6a3d5505bde92dda
Instruction ID: 8f9728340c9a852a7d1b33bd0f2ebe9b35fb423f3083deba1b1e140820d8b9bd
Opcode Fuzzy Hash: 9221bd0dc371bf2a74559d8fa1bae6896458e177d6f56d5d6a3d5505bde92dda
Instruction Fuzzy Hash: 2001B571A41629AB8B14EBA4CC55CFE736BAF46320B144A1EF826573E1EF315C08DA51

Function 00678CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00678D6B

Strings

ComboBox, xrefs: 00678D0A
ListBox, xrefs: 00678D35

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 019b25311f0f4c818a4a7840cde89522bb3c2b61a09d96b22333e8a375c95656
Instruction ID: 6a4e44b3d52f0a58433b242787a21e27e571ee46e6b35e6819e048a36eaccd40
Opcode Fuzzy Hash: 019b25311f0f4c818a4a7840cde89522bb3c2b61a09d96b22333e8a375c95656
Instruction Fuzzy Hash: 5C01FC71B41518ABCB24E7E0C956EFE77AEDF15340F10401E7406632D1DE215E08D675

Function 00678D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00678DEE

Strings

ComboBox, xrefs: 00678D8F
ListBox, xrefs: 00678DBA

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 449638650192496e73535e1f280db815484f4a32f0deeb1cdce9dff6164dce31
Instruction ID: f21d3ba86c22f2d7bfde2b3b2eed5650eaa9649609b06403e85c49e3fc239f6f
Opcode Fuzzy Hash: 449638650192496e73535e1f280db815484f4a32f0deeb1cdce9dff6164dce31
Instruction Fuzzy Hash: 47012B71A81118BBCB25E7E4C946EFEB7AECF12300F10401AB80A632D1DE214E09DA76

Function 00646B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00646B93
__calloc_crt.LIBCMT ref: 00646BAC

Strings

@Bn, xrefs: 00646BC3

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: __calloc_crt
String ID: @Bn
API String ID: 3494438863-3885905162
Opcode ID: 2bac49a26824f49a21c591fb34df17cca9517ec1bbbc20738eabf70e735d4f8c
Instruction ID: b5c26763a97d82a08d7420d8fc65d5e79d5ae1cf23342808aa4a55e7e1113240
Opcode Fuzzy Hash: 2bac49a26824f49a21c591fb34df17cca9517ec1bbbc20738eabf70e735d4f8c
Instruction Fuzzy Hash: AAF04F71608B128FF7649F68FC91BA62B97E712734B50041EF302CF290EB70899286C5

Function 00684F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00684F46
_wcscmp.LIBCMT ref: 00684F58

Strings

#32770, xrefs: 00684F52

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 30a330b9efe1b6a00d4a29e77fad20ef33a5594af991a2327a0122c07f42562e
Instruction ID: 4a24a3e69be510ebccd63815c01ef525dfdaa460831c765d1f7784cb8dbd6a18
Opcode Fuzzy Hash: 30a330b9efe1b6a00d4a29e77fad20ef33a5594af991a2327a0122c07f42562e
Instruction Fuzzy Hash: F9E06832A003382BD320AB99EC49FA7F7ACEB91B70F00012BFD00D3140D960AA058BE0

Function 0065B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0065B314: _memset.LIBCMT ref: 0065B321

Part of subcall function 00640940: InitializeCriticalSectionAndSpinCount.KERNEL32(006E4158,00000000,006E4144,0065B2F0,?,?,?,0062100A), ref: 00640945

IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 0065B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 0065B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0065B2FE

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 87ca38745cdbe298f1bcdd8fc7a2cf752774b73e58b68c5e87a829c37c36c346
Instruction ID: 8242670fbfd2121511c68b342edf3942c3ccc49de3c9fae9b4de2d7dc223b49c
Opcode Fuzzy Hash: 87ca38745cdbe298f1bcdd8fc7a2cf752774b73e58b68c5e87a829c37c36c346
Instruction Fuzzy Hash: 0CE092702007118FE760EF68E4047427BE6EF04305F049A6CE856D7341E7B4E448CFA1

Function 00661935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00661775

Part of subcall function 0069BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0066195E,?), ref: 0069BFFE
Part of subcall function 0069BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0069C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0066196D

Strings

WIN_XPe, xrefs: 00661788

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: b486701f419c49a85f1d0485c621a17a65cfabaa1415a9d2e8cd60bce74f535a
Instruction ID: 514ddf57a3d1b859f20ce38195d4ae392a22732c46e5cb512d54789a69a8df17
Opcode Fuzzy Hash: b486701f419c49a85f1d0485c621a17a65cfabaa1415a9d2e8cd60bce74f535a
Instruction Fuzzy Hash: 2FF0ED71800109DFDB15DB91D9C4AECBBFAFB19301F581096E102AB190D7716F85DF61

Function 00649B79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00649B94

Part of subcall function 00649C0B: __mtinitlocknum.LIBCMT ref: 00649C1D
Part of subcall function 00649C0B: RtlEnterCriticalSection.NTDLL(00000000), ref: 00649C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00649BA4

Part of subcall function 00649100: ___addlocaleref.LIBCMT ref: 0064911C
Part of subcall function 00649100: ___removelocaleref.LIBCMT ref: 00649127
Part of subcall function 00649100: ___freetlocinfo.LIBCMT ref: 0064913B

Strings

8m, xrefs: 00649B8A, 00649B9F, 00649BAB

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8m
API String ID: 547918592-1963270409
Opcode ID: d0f01708a01fd9f1ed2cb9b18a4695271466f3c783f8fa4a2dc2e6c4ff3aa2c1
Instruction ID: 3ca659ab0a52c5837eeb4808696ba5e3bb0f32a0a9275284400da71453b6d68f
Opcode Fuzzy Hash: d0f01708a01fd9f1ed2cb9b18a4695271466f3c783f8fa4a2dc2e6c4ff3aa2c1
Instruction Fuzzy Hash: 44E08C71D87700ABEB90BBE86A43B4E27639B02B21F20115FF0555A2C1CD712400862F

Function 006A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006A5981

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Strings

Shell_TrayWnd, xrefs: 006A5967

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9daa920585744d24d97d8cd0382e286b116078a5b93e162ef4baf9ca61cb4f47
Instruction ID: dd04382ea6aa279e961acd185fd9d5a93d9520e3a69a0c05f1dfde33c69f3b3d
Opcode Fuzzy Hash: 9daa920585744d24d97d8cd0382e286b116078a5b93e162ef4baf9ca61cb4f47
Instruction Fuzzy Hash: 28D0C935784311BAE7A4BBB0AC5FF966A56AB11B50F011829B24AAA1D0CDE0A800CA54

Function 006A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A59AE
PostMessageW.USER32(00000000), ref: 006A59B5

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Strings

Shell_TrayWnd, xrefs: 006A59A7

Memory Dump Source

Source File: 00000001.00000002.1278958782.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000001.00000002.1278932826.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.00000000006ED000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1278958782.000000000072E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279148960.0000000000734000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1279169006.0000000000735000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_620000_F0DgoRk0p1.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ba39ba33d5cd76f0c32422de5fdef4cba51d841b84b478e482f55dd494c867eb
Instruction ID: 070b916208ca517ad58bbd676b25c46f0e26fba5524808b15f95ee0ed24abb51
Opcode Fuzzy Hash: ba39ba33d5cd76f0c32422de5fdef4cba51d841b84b478e482f55dd494c867eb
Instruction Fuzzy Hash: 98D0C9317803117AE7A4BBB0AC4FF966656AB16B50F011829B246AA1D0CDE0A800CA59

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report F0DgoRk0p1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Maianthemum

C:\Users\user\AppData\Local\Temp\aut1CCD.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
F0DgoRk0p1.exe

Function 00623B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 006249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00624E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00689155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0062708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00623A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00623766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00623015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71
registrywindowclipboardCOMMON

Function 00623041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 016B56C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00627285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Function 006239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0062686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Function 016B5460 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154
fileCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre