Edit tour

Windows Analysis Report
tN8GsMV1le.exe

Overview

General Information

Sample name:	tN8GsMV1le.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	0ed8ca46015ab7478fea92df5e02cee1939cc83f3ab308dd50d973fbce00aa36
Analysis ID:	1590073
MD5:	80d1696d1faeb3a13686b7ad4620e8af
SHA1:	4181929b796b7fd1583aa3e2add32d89f1d753c3
SHA256:	0ed8ca46015ab7478fea92df5e02cee1939cc83f3ab308dd50d973fbce00aa36
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tN8GsMV1le.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\tN8GsMV1le.exe" MD5: 80D1696D1FAEB3A13686B7AD4620E8AF)

ageless.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\tN8GsMV1le.exe" MD5: 80D1696D1FAEB3A13686B7AD4620E8AF)

RegSvcs.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\tN8GsMV1le.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7624 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ageless.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\flexuosely\ageless.exe" MD5: 80D1696D1FAEB3A13686B7AD4620E8AF)

RegSvcs.exe (PID: 7704 cmdline: "C:\Users\user\AppData\Local\flexuosely\ageless.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Server": "daipro.com.mx", "To": "saleseuropower2@yandex.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2988302345.00000000026B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
00000005.00000002.2988584382.0000000003005000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 7444	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: ageless.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 7444	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ageless.exe PID: 7444	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x30e4d1:$a1: get_encryptedPassword 0x30e7ea:$a2: get_encryptedUsername 0x30e280:$a3: get_timePasswordChanged 0x30e3a1:$a4: get_passwordField 0x30e4e7:$a5: set_encryptedPassword 0x30fdea:$a7: get_logins 0x30fa9b:$a8: GetOutlookPasswords 0x30f88d:$a9: StartKeylogger 0x30fd3a:$a10: KeyLoggerEventArgs 0x30f8ea:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7472	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7472	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x121a5:$a1: get_encryptedPassword 0x11f54:$a3: get_timePasswordChanged 0x12075:$a4: get_passwordField 0x121bb:$a5: set_encryptedPassword 0x643f:$a7: get_logins 0x60f0:$a8: GetOutlookPasswords 0x5ee2:$a9: StartKeylogger 0x638f:$a10: KeyLoggerEventArgs 0x5f3f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: ageless.exe PID: 7676	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: ageless.exe PID: 7676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ageless.exe PID: 7676	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ageless.exe PID: 7676	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x45e18e:$a1: get_encryptedPassword 0x45e4a7:$a2: get_encryptedUsername 0x45df3d:$a3: get_timePasswordChanged 0x45e05e:$a4: get_passwordField 0x45e1a4:$a5: set_encryptedPassword 0x45faa7:$a7: get_logins 0x45f758:$a8: GetOutlookPasswords 0x45f54a:$a9: StartKeylogger 0x45f9f7:$a10: KeyLoggerEventArgs 0x45f5a7:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7704	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.ageless.exe.3af0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.ageless.exe.3af0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ageless.exe.3af0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ageless.exe.3af0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
1.2.ageless.exe.3af0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
5.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data
4.2.ageless.exe.41b0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.ageless.exe.41b0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.ageless.exe.41b0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.ageless.exe.41b0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
4.2.ageless.exe.41b0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
4.2.ageless.exe.41b0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.ageless.exe.41b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.ageless.exe.41b0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.ageless.exe.41b0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
4.2.ageless.exe.41b0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
1.2.ageless.exe.3af0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.ageless.exe.3af0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.ageless.exe.3af0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.ageless.exe.3af0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
1.2.ageless.exe.3af0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , ProcessId: 7624, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs" , ProcessId: 7624, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\flexuosely\ageless.exe, ProcessId: 7444, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T15:08:34.055922+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T15:08:46.649609+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.ageless.exe.41b0000.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Server": "daipro.com.mx", "To": "saleseuropower2@yandex.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Virustotal: Detection: 45%			Perma Link

Multi AV Scanner detection for submitted file

Source: tN8GsMV1le.exe	ReversingLabs: Detection: 47%
Source: tN8GsMV1le.exe	Virustotal: Detection: 45%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tN8GsMV1le.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: tN8GsMV1le.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: ageless.exe, 00000001.00000003.1756007348.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1754537545.0000000004110000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1881177175.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1884616502.0000000004390000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ageless.exe, 00000001.00000003.1756007348.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1754537545.0000000004110000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1881177175.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1884616502.0000000004390000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008368EE FindFirstFileW,FindClose,	0_2_008368EE
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0083698F
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D076
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D3A9
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00839642
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083979D
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0082DBBE
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00839B2B
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00835C97
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C68EE FindFirstFileW,FindClose,	1_2_002C68EE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_002C698F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002BD076
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002BD3A9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002C9642
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002C979D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_002C9B2B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_002BDBBE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_002C5C97
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C68EE FindFirstFileW,FindClose,	4_2_002C68EE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	4_2_002C698F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002BD076
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002BD3A9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_002C9642
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_002C979D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_002C9B2B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	4_2_002BDBBE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C5C97 FindFirstFileW,FindNextFileW,FindClose,	4_2_002C5C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02469731h	2_2_02469480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02469E5Ah	2_2_02469A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02469E5Ah	2_2_02469A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 02469E5Ah	2_2_02469D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49734 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0083CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0083CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.2988302345.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002591000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.2988302345.000000000262D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2988302345.000000000262D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002591000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0083EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0083EAFF

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0083ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_0083ED6A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	1_2_002CED6A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	4_2_002CED6A

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

0_2_0083EAFF

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0082AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0082AA57

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00859576
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_002E9576
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_002E9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: tN8GsMV1le.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: tN8GsMV1le.exe, 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_46b12145-2
Source: tN8GsMV1le.exe, 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_190b0e5f-2
Source: ageless.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ageless.exe, 00000001.00000002.1757620819.0000000000312000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d208b053-9
Source: ageless.exe, 00000001.00000002.1757620819.0000000000312000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d856912b-f
Source: ageless.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ageless.exe, 00000004.00000002.1886925480.0000000000312000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0e7629bf-d
Source: ageless.exe, 00000004.00000002.1886925480.0000000000312000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_004f72bb-d

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007C3170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_007C3170
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0085A2D7 NtdllDialogWndProc_W,	0_2_0085A2D7
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008587B2 NtdllDialogWndProc_W,CallWindowProcW,	0_2_008587B2
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00858AAA NtdllDialogWndProc_W,	0_2_00858AAA
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D8BA4 NtdllDialogWndProc_W,	0_2_007D8BA4
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00858FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00858FC9
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008590A1 SendMessageW,NtdllDialogWndProc_W,	0_2_008590A1
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D9052 NtdllDialogWndProc_W,	0_2_007D9052
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D90A7 NtdllDialogWndProc_W,	0_2_007D90A7
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0085911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0085911E
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859380 NtdllDialogWndProc_W,	0_2_00859380
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008593CB NtdllDialogWndProc_W,	0_2_008593CB
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859400 ClientToScreen,NtdllDialogWndProc_W,	0_2_00859400
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0085953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_0085953A
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00859576
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D97C0 GetParent,NtdllDialogWndProc_W,	0_2_007D97C0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_007D997D
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_00859EF3
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859E74 NtdllDialogWndProc_W,	0_2_00859E74
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00859F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00859F86
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00253170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	1_2_00253170
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002EA2D7 NtdllDialogWndProc_W,	1_2_002EA2D7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E87B2 NtdllDialogWndProc_W,CallWindowProcW,	1_2_002E87B2
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E8AAA NtdllDialogWndProc_W,	1_2_002E8AAA
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00268BA4 NtdllDialogWndProc_W,	1_2_00268BA4
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	1_2_002E8FC9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00269052 NtdllDialogWndProc_W,	1_2_00269052
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002690A7 NtdllDialogWndProc_W,	1_2_002690A7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E90A1 SendMessageW,NtdllDialogWndProc_W,	1_2_002E90A1
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	1_2_002E911E
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9380 NtdllDialogWndProc_W,	1_2_002E9380
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E93CB NtdllDialogWndProc_W,	1_2_002E93CB
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9400 ClientToScreen,NtdllDialogWndProc_W,	1_2_002E9400
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E953A GetWindowLongW,NtdllDialogWndProc_W,	1_2_002E953A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	1_2_002E9576
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002697C0 GetParent,NtdllDialogWndProc_W,	1_2_002697C0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	1_2_0026997D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9E74 NtdllDialogWndProc_W,	1_2_002E9E74
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	1_2_002E9EF3
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	1_2_002E9F86
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00253170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	4_2_00253170
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002EA2D7 NtdllDialogWndProc_W,	4_2_002EA2D7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E87B2 NtdllDialogWndProc_W,CallWindowProcW,	4_2_002E87B2
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E8AAA NtdllDialogWndProc_W,	4_2_002E8AAA
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00268BA4 NtdllDialogWndProc_W,	4_2_00268BA4
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	4_2_002E8FC9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00269052 NtdllDialogWndProc_W,	4_2_00269052
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002690A7 NtdllDialogWndProc_W,	4_2_002690A7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E90A1 SendMessageW,NtdllDialogWndProc_W,	4_2_002E90A1
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	4_2_002E911E
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9380 NtdllDialogWndProc_W,	4_2_002E9380
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E93CB NtdllDialogWndProc_W,	4_2_002E93CB
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9400 ClientToScreen,NtdllDialogWndProc_W,	4_2_002E9400
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E953A GetWindowLongW,NtdllDialogWndProc_W,	4_2_002E953A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	4_2_002E9576
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002697C0 GetParent,NtdllDialogWndProc_W,	4_2_002697C0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	4_2_0026997D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9E74 NtdllDialogWndProc_W,	4_2_002E9E74
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	4_2_002E9EF3
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	4_2_002E9F86

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0082D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0082D5EB

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_00821201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74755590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00821201

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_0082E8F6
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	1_2_002BE8F6
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	4_2_002BE8F6

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007C8060	0_2_007C8060
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00832046	0_2_00832046
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00828298	0_2_00828298
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007FE4FF	0_2_007FE4FF
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007F676B	0_2_007F676B
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00854873	0_2_00854873
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007CCAF0	0_2_007CCAF0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007ECAA0	0_2_007ECAA0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007DCC39	0_2_007DCC39
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007F6DD9	0_2_007F6DD9
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007DB119	0_2_007DB119
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007C91C0	0_2_007C91C0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E1394	0_2_007E1394
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E1706	0_2_007E1706
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E781B	0_2_007E781B
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007D997D	0_2_007D997D
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007C7920	0_2_007C7920
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E19B0	0_2_007E19B0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E7A4A	0_2_007E7A4A
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E1C77	0_2_007E1C77
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E7CA7	0_2_007E7CA7
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007F9EEE	0_2_007F9EEE
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0084BE44	0_2_0084BE44
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E1F32	0_2_007E1F32
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_017D0C50	0_2_017D0C50
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00258060	1_2_00258060
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C2046	1_2_002C2046
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002B8298	1_2_002B8298
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0028E4FF	1_2_0028E4FF
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0028676B	1_2_0028676B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E4873	1_2_002E4873
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0027CAA0	1_2_0027CAA0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0025CAF0	1_2_0025CAF0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026CC39	1_2_0026CC39
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00286DD9	1_2_00286DD9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026D064	1_2_0026D064
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026B119	1_2_0026B119
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002591C0	1_2_002591C0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00271394	1_2_00271394
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00271706	1_2_00271706
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0027781B	1_2_0027781B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00257920	1_2_00257920
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026997D	1_2_0026997D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002719B0	1_2_002719B0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00277A4A	1_2_00277A4A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00271C77	1_2_00271C77
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00277CA7	1_2_00277CA7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002DBE44	1_2_002DBE44
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00289EEE	1_2_00289EEE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00271F32	1_2_00271F32
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0025BF40	1_2_0025BF40
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0176EB08	1_2_0176EB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0246C530	2_2_0246C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02462DD1	2_2_02462DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02469480	2_2_02469480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_024619B8	2_2_024619B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0246C521	2_2_0246C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0246946F	2_2_0246946F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00258060	4_2_00258060
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C2046	4_2_002C2046
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002B8298	4_2_002B8298
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0028E4FF	4_2_0028E4FF
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0028676B	4_2_0028676B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E4873	4_2_002E4873
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0027CAA0	4_2_0027CAA0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0025CAF0	4_2_0025CAF0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026CC39	4_2_0026CC39
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00286DD9	4_2_00286DD9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026D064	4_2_0026D064
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026B119	4_2_0026B119
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002591C0	4_2_002591C0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00271394	4_2_00271394
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00271706	4_2_00271706
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0027781B	4_2_0027781B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00257920	4_2_00257920
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026997D	4_2_0026997D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002719B0	4_2_002719B0
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00277A4A	4_2_00277A4A
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00271C77	4_2_00271C77
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00277CA7	4_2_00277CA7
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002DBE44	4_2_002DBE44
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00289EEE	4_2_00289EEE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00271F32	4_2_00271F32
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0025BF40	4_2_0025BF40
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_01A53C48	4_2_01A53C48

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: String function: 007DF9F2 appears 31 times
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: String function: 007E0A30 appears 46 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00274963 appears 54 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00270A30 appears 92 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00259CB3 appears 60 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00278E0B appears 36 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 0025988F appears 34 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00274A28 appears 40 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 0025600E appears 34 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 002BDF27 appears 32 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 0026F9F2 appears 62 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00282FA6 appears 48 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 00291F50 appears 52 times
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: String function: 0025CFA0 appears 44 times

Source: tN8GsMV1le.exe	Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ageless.exe.0.dr	Static PE information: Resource name: RT_STRING type: COM executable for DOS

Source: tN8GsMV1le.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7472, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/3@2/2

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_008337B5 GetLastError,FormatMessageW,

0_2_008337B5

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008210BF AdjustTokenPrivileges,CloseHandle,	0_2_008210BF
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_008216C3
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002B10BF AdjustTokenPrivileges,CloseHandle,	1_2_002B10BF
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_002B16C3
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002B10BF AdjustTokenPrivileges,CloseHandle,	4_2_002B10BF
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	4_2_002B16C3

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_008351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008351CD

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0084A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0084A67C

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0083648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0083648E

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007C42A2

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

File created: C:\Users\user\AppData\Local\flexuosely

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

File created: C:\Users\user\AppData\Local\Temp\Halitherses

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2988302345.0000000002670000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.000000000268E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tN8GsMV1le.exe	ReversingLabs: Detection: 47%
Source: tN8GsMV1le.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

File read: C:\Users\user\Desktop\tN8GsMV1le.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tN8GsMV1le.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Process created: C:\Users\user\AppData\Local\flexuosely\ageless.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\flexuosely\ageless.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Process created: C:\Users\user\AppData\Local\flexuosely\ageless.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\flexuosely\ageless.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: ageless.exe, 00000001.00000003.1756007348.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1754537545.0000000004110000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1881177175.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1884616502.0000000004390000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ageless.exe, 00000001.00000003.1756007348.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1754537545.0000000004110000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1881177175.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000003.1884616502.0000000004390000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E0A76 push ecx; ret	0_2_007E0A89
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00270A76 push ecx; ret	1_2_00270A89
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00270A76 push ecx; ret	4_2_00270A89

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

File created: C:\Users\user\AppData\Local\flexuosely\ageless.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (92).png

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_007DF98E
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00851C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00851C41
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0026F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_0026F98E
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_002E1C41
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0026F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	4_2_0026F98E
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	4_2_002E1C41

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-95287

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	API/Special instruction interceptor: Address: 176E72C
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	API/Special instruction interceptor: Address: 1A5386C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ageless.exe, 00000004.00000002.1888446015.000000000196A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE]
Source: tN8GsMV1le.exe, 00000000.00000002.1741392845.000000000170F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: ageless.exe, 00000001.00000002.1758697335.000000000163E000.00000004.00000020.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1757189639.000000000163E000.00000004.00000020.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1740975873.000000000163E000.00000004.00000020.00020000.00000000.sdmp, ageless.exe, 00000001.00000003.1739906124.000000000163E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE8D

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	API coverage: 3.4 %
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	API coverage: 3.8 %
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	API coverage: 3.5 %

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_008368EE FindFirstFileW,FindClose,	0_2_008368EE
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0083698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0083698F
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D076
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0082D3A9
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00839642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00839642
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0083979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083979D
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_0082DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0082DBBE
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00839B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00839B2B
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00835C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00835C97
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C68EE FindFirstFileW,FindClose,	1_2_002C68EE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_002C698F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002BD076
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002BD3A9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002C9642
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_002C979D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_002C9B2B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_002BDBBE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002C5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_002C5C97
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C68EE FindFirstFileW,FindClose,	4_2_002C68EE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	4_2_002C698F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002BD076
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	4_2_002BD3A9
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_002C9642
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	4_2_002C979D
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	4_2_002C9B2B
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	4_2_002BDBBE
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002C5C97 FindFirstFileW,FindNextFileW,FindClose,	4_2_002C5C97

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: wscript.exe, 00000003.00000002.1872313759.00000227B2F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: RegSvcs.exe, 00000002.00000002.2987340666.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: RegSvcs.exe, 00000005.00000002.2987316666.0000000001217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: wscript.exe, 00000003.00000002.1872313759.00000227B2F23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	API call chain: ExitProcess graph end node			graph_0-96800
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0083EAA2 BlockInput,

0_2_0083EAA2

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_007F2622

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_007E4CE8
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_017D0B40 mov eax, dword ptr fs:[00000030h]	0_2_017D0B40
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_017D0AE0 mov eax, dword ptr fs:[00000030h]	0_2_017D0AE0
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_017CF470 mov eax, dword ptr fs:[00000030h]	0_2_017CF470
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00274CE8 mov eax, dword ptr fs:[00000030h]	1_2_00274CE8
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0176E9F8 mov eax, dword ptr fs:[00000030h]	1_2_0176E9F8
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0176E998 mov eax, dword ptr fs:[00000030h]	1_2_0176E998
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0176D328 mov eax, dword ptr fs:[00000030h]	1_2_0176D328
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00274CE8 mov eax, dword ptr fs:[00000030h]	4_2_00274CE8
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_01A52468 mov eax, dword ptr fs:[00000030h]	4_2_01A52468
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_01A53B38 mov eax, dword ptr fs:[00000030h]	4_2_01A53B38
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_01A53AD8 mov eax, dword ptr fs:[00000030h]	4_2_01A53AD8

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_00820B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00820B62

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007F2622
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_007E083F
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E09D5 SetUnhandledExceptionFilter,	0_2_007E09D5
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_007E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_007E0C21
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00282622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00282622
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_0027083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0027083F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002709D5 SetUnhandledExceptionFilter,	1_2_002709D5
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_00270C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00270C21
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00282622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00282622
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_0027083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0027083F
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002709D5 SetUnhandledExceptionFilter,	4_2_002709D5
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_00270C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00270C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 432008			Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C25008			Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

0_2_00821201

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_00802BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00802BA5

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0082B226 SendInput,keybd_event,

0_2_0082B226

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_008422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008422DA

Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tN8GsMV1le.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\flexuosely\ageless.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\flexuosely\ageless.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

0_2_00820B62

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_00821663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00821663

Source: tN8GsMV1le.exe, 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmp, ageless.exe, 00000001.00000002.1757620819.0000000000312000.00000040.00000001.01000000.00000004.sdmp, ageless.exe, 00000004.00000002.1886925480.0000000000312000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ageless.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007E0698 cpuid

0_2_007E0698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_00838195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00838195

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_0081D27A GetUserNameW,

0_2_0081D27A

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007FBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_007FBB6F

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Code function: 0_2_007C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007C42DE

Source: C:\Users\user\Desktop\tN8GsMV1le.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: ageless.exe	Binary or memory string: WIN_81
Source: ageless.exe	Binary or memory string: WIN_XP
Source: ageless.exe, 00000004.00000002.1886925480.0000000000312000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: ageless.exe	Binary or memory string: WIN_XPe
Source: ageless.exe	Binary or memory string: WIN_VISTA
Source: ageless.exe	Binary or memory string: WIN_7
Source: ageless.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2988302345.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2988584382.0000000003005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.ageless.exe.41b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ageless.exe.3af0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ageless.exe PID: 7676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7704, type: MEMORYSTR

Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00841204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00841204
Source: C:\Users\user\Desktop\tN8GsMV1le.exe	Code function: 0_2_00841806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00841806
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_002D1204
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 1_2_002D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_002D1806
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	4_2_002D1204
Source: C:\Users\user\AppData\Local\flexuosely\ageless.exe	Code function: 4_2_002D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	4_2_002D1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	421 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	11 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tN8GsMV1le.exe	47%	ReversingLabs	Win32.Trojan.Generic
tN8GsMV1le.exe	45%	Virustotal		Browse
tN8GsMV1le.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\flexuosely\ageless.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\flexuosely\ageless.exe	47%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\flexuosely\ageless.exe	45%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.2988302345.000000000262D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2988302345.000000000262D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F7D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2988302345.00000000025FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2988302345.0000000002591000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	ageless.exe, 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2988302345.0000000002610000.00000004.00000800.00020000.00000000.sdmp, ageless.exe, 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2988584382.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2986759550.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590073
Start date and time:	2025-01-13 15:07:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tN8GsMV1le.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	0ed8ca46015ab7478fea92df5e02cee1939cc83f3ab308dd50d973fbce00aa36
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 45 Number of non-executed functions: 307

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7472 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:08:33	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
104.21.32.1	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	b2csa.icu/PL341/index.php
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/sa6l/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.masterqq.pro/3vdc/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
checkip.dyndns.com	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	rlPy5vt1Dg.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	https://deltacapoffers.com/prequalification.php?utm_source=klayvio&utm_medium=email&utm_campaign=scrapeddripcampaign&utm_id=efi&utm_term=efi&utm_content=scrapedlists6&_kx=YFJgSt5YAM6jpJldJ4ZDop7CB1jVRJhqJKw59Uk4HMU.QZibAu	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://organismekina8at-my.sharepoint.com/:f:/g/personal/mariejoelle_tremblay_kina8at_ca/ErWnJRn_SWBKkEcx4yGorhMBtA4m6tEq5cYuHnwwp_z1Sw	Get hash	malicious	Unknown	Browse	188.114.96.3
	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	162.247.243.29
	Cardfactory Executed Agreement DocsID- Sign & Review..eml	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://unioneconselvano.it/0kktkM-VkjxP-cvXwg-XC4J3-7f72j-pfTsY-7uK529r.php	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.google.ca/url?subgn1=https://www.fordbeckerandgutierrez.com&SQ=WA&SQ=F5&SQ=R7&TA=W4&SQ=L6&q=%2561%256d%2570%2F%2573%256D%2569%2568%256B%2538%252E%2564%2565%256B%2563%2568%256F%2562%2574%2569%2565%2577%252E%2563%256F%256D%252F%256A%2576%2561%256E%256E%2561%2574%2574%2565%256E%2540%2561%2572%2572%256F%2577%2562%2561%256E%256B%252E%2563%256F%256D&opdg=ejM&cFQ=QXo&STA=MHY	Get hash	malicious	HTMLPhisher	Browse	104.17.245.203
	https://emailcaptain.pages.dev/dimitar?login=eXVsdXlldl9hbkByZnMucnU=&page=_adobe	Get hash	malicious	Unknown	Browse	172.67.169.194
	DOCS974i7C63.pdf	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	NVIDIAShare.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.64.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	slime crypted.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	rOrders.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	MB263350411AE.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1

Process:	C:\Users\user\Desktop\tN8GsMV1le.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.860662311761124
Encrypted:	false
SSDEEP:	1536:Q5wlQlPRHa+XJvc4HSrrXGrca9tvDVEo2OE5dMbB7xkBW+uc6+dJLRQTJ2S2CGn:O5Da+5k2MrXGYafeoy5d2xknh62RQTJ8
MD5:	DC7479346270CAAF59A1DD44DB20A829
SHA1:	3E7BB7950221EC62BE7723FD07045F9894F334EC
SHA-256:	EBF09F88C0E561D1AED529B4CFC6A53B026998EAE66D1E6513A0F646529B6AE7
SHA-512:	41030BF6E58549828A78539EABF116AE95AFBD6D026D3CEE12AD1A0F02EBDC3541B78BCB9DED4C105CD1563D89BCE63B269D69DDE79FBA08C5136D707882C039
Malicious:	false
Reputation:	low
Preview:	.k.2PELYAZ34..DU.SCCY0VL.WF1E2SELYEZ34QCDUESCCY0VLXWF1E2SELY.Z34_\.[E.J.x.W..v.Y,As5>6"(RYq %;+<7c;Uv>-9fX+....y(5WQ.NI_aSCCY0VL..F1.3PE...34QCDUES.C[1]M.WFUD2SMLYEZ34..EUEsCCY.WLXW.1E.SEL[EZ74QCDUESECY0VLXWF.D2SGLYEZ34SC$.ESSCY VLXWV1E"SELYEZ#4QCDUESCCY0..YW.1E2S.MY._34QCDUESCCY0VLXWF1E.RE@YEZ34QCDUESCCY0VLXWF1E2SELYEZ34QCDUESCCY0VLXWF1E2SELyEZ;4QCDUESCCY0^lXW.1E2SELYEZ34.7!-1SCC.RWLXwF1EVREL[EZ34QCDUESCCY0vLX7hC6@0ELY._34Q.EUEUCCYVWLXWF1E2SELYEZs4Q.j' ?, Y0ZLXWF.D2SGLYE624QCDUESCCY0VL.WFsE2SELYEZ34QCDUESs.X0VLXW.1E2QEIY..34..DUFSCC.0VJ.F1.2SELYEZ34QCDUESCCY0VLXWF1E2SELYEZ34QCDUESCC.M.C..X6..ELYEZ35S@@SM[CCY0VLXW81E2.ELY.Z34fCDU`SCC40VL\|WF1;2SE2YEZW4QC6UES"CY0.LXW)1E2=ELY;Z34OAlJESIi.0TdxWF;E..6mYEP.5QC@&gSCI.2VL\$e1E8.FLYA).4QI.QESG0\|0VF.RF1A..EO.S\34J,\|UEYC@.%PLXLl.E0{\|LYOZ..Q@.@CSCXs.VN.^F1A..6QYE\.vQCN!LSCA.:VL\}X3mqSEFsg$ 4QGoUoq=WY0RgX}dOP2SAgYoxM"QC@~Eya=N0VHsWl7oPS7.UE0[0CDSm.CCS..LXQF..2-KLYAX\.QCNsoiCk.0VJX..1E4So.Y;i34UoC+vSCGr&(}XWB.CJSEJ.Z3>t.wUEWk.Y0\Lr.F..2SCLq.Z32

C:\Users\user\AppData\Local\flexuosely\ageless.exe

Download File

Process:	C:\Users\user\Desktop\tN8GsMV1le.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	665600
Entropy (8bit):	7.929162536945725
Encrypted:	false
SSDEEP:	12288:PsHzOUNUSB/o5LsI1uwajJ5yvv1l2prD5jZUdhA2fSHa2oHzIiGZ6nQ:eiUmSB/o5d1ubcvcrNjZi7thEi+6Q
MD5:	80D1696D1FAEB3A13686B7AD4620E8AF
SHA1:	4181929B796B7FD1583AA3E2ADD32D89F1D753C3
SHA-256:	0ED8CA46015AB7478FEA92DF5E02CEE1939CC83F3AB308DD50D973FBCE00AA36
SHA-512:	7668327F6BF157D23F8055DA68CAF4EA6B3516E8C664D24E56512282C86B905B559A8484A7E449158B1C651B9EE22041E5C947641027F0E275533E3AC9128C70
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 45%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L......g.........."..........`....................@.......................................@...@.......@.....................`...$.......`U..........................................................................................................UPX0....................................UPX1................................@....rsrc....`.......Z..................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Download File

Process:	C:\Users\user\AppData\Local\flexuosely\ageless.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.387641022869369
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1G/JgLlm6nriIM8lfQVn:DsO+vNloRKQ1wORm4mA2n
MD5:	0AD3EE70704C86C853A00415B0BE0C54
SHA1:	101869F8C3F9AFA170C7B77579C53528C459F205
SHA-256:	12E181ECBC5FC8BD269EFAF53A2A6DEC49C0DA34DDE82F139A4DCF03D3F9BA02
SHA-512:	2AC1663C490AF0FC68BF37C0EE83053DCC9AB5E38D2116508B50DAE1097DD129C63001F17E5A5A409F0A287ABEE174CAEC2D753D560936288E8D33D48FE79F25
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.f.l.e.x.u.o.s.e.l.y.\.a.g.e.l.e.s.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.929162536945725
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	tN8GsMV1le.exe
File size:	665'600 bytes
MD5:	80d1696d1faeb3a13686b7ad4620e8af
SHA1:	4181929b796b7fd1583aa3e2add32d89f1d753c3
SHA256:	0ed8ca46015ab7478fea92df5e02cee1939cc83f3ab308dd50d973fbce00aa36
SHA512:	7668327f6bf157d23f8055da68caf4ea6b3516e8c664d24e56512282c86b905b559a8484a7e449158b1c651b9ee22041e5c947641027f0e275533e3ac9128c70
SSDEEP:	12288:PsHzOUNUSB/o5LsI1uwajJ5yvv1l2prD5jZUdhA2fSHa2oHzIiGZ6nQ:eiUmSB/o5d1ubcvcrNjZi7thEi+6Q
TLSH:	B1E423176880A90CD6E236FD70F095B6A336BDA015348196DEF4BFA48E31263CDC55ED
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	8f82989919951d01

Static PE Info

General

Entrypoint:	0x52a700
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67838B19 [Sun Jan 12 09:27:53 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 004CE000h
lea edi, dword ptr [esi-000CD000h]
mov dword ptr [edi+000CF740h], 13800C02h
push edi
jmp 00007FEE00C8A4A3h
nop
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FEE00C8A47Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FEE00C8A49Dh
jne 00007FEE00C8A4BAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FEE00C8A4B1h
dec eax
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FEE00C8A466h
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FEE00C8A4E4h
xor ecx, ecx
sub eax, 03h
jc 00007FEE00C8A4A3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FEE00C8A507h
sar eax, 1
mov ebp, eax
jmp 00007FEE00C8A49Dh
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FEE00C8A45Eh
inc ecx
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FEE00C8A450h
add ebx, ebx
jne 00007FEE00C8A499h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FEE00C8A481h
jne 00007FEE00C8A49Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FEE00C8A476h
add ecx, 02h
cmp ebp, 00000000h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x170560	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12b000	0x45560	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x170984	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12a8f4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12a914	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xcd000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xce000	0x5d000	0x5ca00	d1f2fc73ca6587fa0298827cef415a4f	False	0.9885158358636977	data	7.936945176873406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12b000	0x46000	0x45a00	53a0ce906c987d5e50f842d0381661f4	False	0.9114185929084381	data	7.86236761444327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12b4ec	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x12b618	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x12b744	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x12b870	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.5487588652482269
RT_ICON	0x12bcdc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.37922138836772984
RT_ICON	0x12cd88	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.28060165975103735
RT_ICON	0x12f334	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	Great Britain	0.25614076523382145
RT_MENU	0xdc540	0x50	data	English	Great Britain	1.1375
RT_STRING	0xdc590	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xdcb24	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xdd1b0	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xdd640	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xddc3c	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xde298	0x466	COM executable for DOS	English	Great Britain	1.0097690941385435
RT_STRING	0xde700	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x133560	0x3ca9e	data			1.000346107100025
RT_GROUP_ICON	0x170004	0x3e	data	English	Great Britain	0.8387096774193549
RT_GROUP_ICON	0x170048	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x170060	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x170078	0x14	data	English	Great Britain	1.25
RT_VERSION	0x170090	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x170170	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T15:08:34.055922+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	132.226.8.169	80	TCP
2025-01-13T15:08:46.649609+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49732	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:08:32.803597927 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:32.808620930 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:32.808760881 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:32.828130007 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:32.833178043 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:33.699239969 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:33.707763910 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:33.712697983 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:34.015433073 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:34.026268005 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.026330948 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.026415110 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.055922031 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:34.085014105 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.085059881 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.583304882 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.583431005 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.590853930 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.590882063 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.591223001 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.633997917 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.640672922 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.683373928 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.756454945 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.756681919 CET	443	49731	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:34.756973028 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:34.762955904 CET	49731	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:45.436870098 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:45.442497969 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:45.442569017 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:45.442889929 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:45.448235035 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:46.294251919 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:46.297972918 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:46.302872896 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:46.597562075 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:08:46.599389076 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:46.599469900 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:46.599754095 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:46.603780031 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:46.603805065 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:46.649609089 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:08:47.068599939 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.068727970 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:47.070436954 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:47.070466042 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.071010113 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.118365049 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:47.157795906 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:47.199361086 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.302088022 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.302237034 CET	443	49734	104.21.32.1	192.168.2.4
Jan 13, 2025 15:08:47.302293062 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:08:47.306010962 CET	49734	443	192.168.2.4	104.21.32.1
Jan 13, 2025 15:09:39.010864019 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:09:39.010952950 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:09:51.591379881 CET	80	49732	132.226.8.169	192.168.2.4
Jan 13, 2025 15:09:51.591535091 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:10:14.024769068 CET	49730	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:10:14.030747890 CET	80	49730	132.226.8.169	192.168.2.4
Jan 13, 2025 15:10:26.602588892 CET	49732	80	192.168.2.4	132.226.8.169
Jan 13, 2025 15:10:26.607486963 CET	80	49732	132.226.8.169	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:08:32.785182953 CET	51340	53	192.168.2.4	1.1.1.1
Jan 13, 2025 15:08:32.792376995 CET	53	51340	1.1.1.1	192.168.2.4
Jan 13, 2025 15:08:34.017265081 CET	55524	53	192.168.2.4	1.1.1.1
Jan 13, 2025 15:08:34.025415897 CET	53	55524	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 15:08:32.785182953 CET	192.168.2.4	1.1.1.1	0x83db	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.017265081 CET	192.168.2.4	1.1.1.1	0x158d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:32.792376995 CET	1.1.1.1	192.168.2.4	0x83db	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:08:34.025415897 CET	1.1.1.1	192.168.2.4	0x158d	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	132.226.8.169	80	7472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 15:08:32.828130007 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 15:08:33.699239969 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 15:08:33.707763910 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 15:08:34.015433073 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	132.226.8.169	80	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 15:08:45.442889929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 15:08:46.294251919 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 15:08:46.297972918 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 15:08:46.597562075 CET	273	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.32.1	443	7472	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 14:08:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 14:08:34 UTC	857	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2092103 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1dc5e1M%2FLpAudMIQAj8RpQjNi%2BwbMkhKGkXp7k3KjG8sOj0YLaCajB4r2%2BmKts2TnfUAR7eGRyPpctoSOBgK6Io1XELNHmx5bQjacrQ8RUeJl8ckELU%2FADzpGDoGfGFOF47Z21mz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015f588c80472b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1779&rtt_var=687&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1571582&cwnd=217&unsent_bytes=0&cid=fecdc43ebd4ceee2&ts=192&x=0"
2025-01-13 14:08:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.21.32.1	443	7704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 14:08:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 14:08:47 UTC	863	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 14:08:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2092116 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PinwbJ%2BkffVT0Y09SFU06bCyE9d1kB9oM9NISA%2Fa7jyYno%2BtfBsWlXmz0PCsnH3mzAvFxH5LTII%2F2t9Gx%2Fmq3FrwQKbtUjFxc%2BKOLnV%2BJGW29RZ8FY7VOMJiTADxox0XQUiSgv7b"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015f5d73dc18cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1774&min_rtt=1766&rtt_var=679&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1590413&cwnd=244&unsent_bytes=0&cid=8c9e9612169bda49&ts=242&x=0"
2025-01-13 14:08:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	09:08:29
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\tN8GsMV1le.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tN8GsMV1le.exe"
Imagebase:	0x7c0000
File size:	665'600 bytes
MD5 hash:	80D1696D1FAEB3A13686B7AD4620E8AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:08:29
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\flexuosely\ageless.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tN8GsMV1le.exe"
Imagebase:	0x250000
File size:	665'600 bytes
MD5 hash:	80D1696D1FAEB3A13686B7AD4620E8AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1759954673.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs Detection: 45%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:08:30
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tN8GsMV1le.exe"
Imagebase:	0x2f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2988302345.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:08:42
Start date:	13/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs"
Imagebase:	0x7ff6a2e50000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:08:43
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\flexuosely\ageless.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\flexuosely\ageless.exe"
Imagebase:	0x250000
File size:	665'600 bytes
MD5 hash:	80D1696D1FAEB3A13686B7AD4620E8AF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.1889243084.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:08:44
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\flexuosely\ageless.exe"
Imagebase:	0xb30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2988584382.0000000003005000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	5.5%
Total number of Nodes:	1560
Total number of Limit Nodes:	45

Executed Functions

Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007C430D

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

GetCurrentProcess.KERNEL32(?,0085CB64,00000000,?,?), ref: 007C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 007C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007C44A0

Strings

GetNativeSystemInfo, xrefs: 007C4460
kernel32.dll, xrefs: 007C444F
|O, xrefs: 008036F8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 85377e108e7df802bfd6884d83de35b68c0f4a7e033e81a48c06fab647145d73
Instruction ID: 877f89cdbcc267a00211539e8e5e73aa2dd8269f22b28fbab3604a7d915e7fef
Opcode Fuzzy Hash: 85377e108e7df802bfd6884d83de35b68c0f4a7e033e81a48c06fab647145d73
Instruction Fuzzy Hash: F2A1856590E3C2DFCF16E7797C496A67FB8BB66300B1C44AFD44193B61D62C4608EB21

Function 007C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,007C316A,?,?), ref: 007C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007C316A,?,?), ref: 007C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007C3227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007C3232
CreatePopupMenu.USER32 ref: 007C3246
PostQuitMessage.USER32(00000000), ref: 007C3267

Strings

TaskbarCreated, xrefs: 007C322D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 325329408b397b50699891cc3888727433dfc2025cad70639e8ce8f6f39e228a
Instruction ID: 31d86aab01b88ff0ffcd981ba878570e65abad4e90c1351b976ae614db042165
Opcode Fuzzy Hash: 325329408b397b50699891cc3888727433dfc2025cad70639e8ce8f6f39e228a
Instruction Fuzzy Hash: 5541D735248209AFDF152B789D4DFB93B69F705340F0C812EF902C66E1C76D9E40ABA1

Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007C50AA,?,?,00000000,00000000), ref: 007C42C9
LoadResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035BE
SizeofResource.KERNEL32(?,00000000,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20), ref: 008035D3
LockResource.KERNEL32(007C50AA,?,?,007C50AA,?,?,00000000,00000000,?,?,?,?,?,?,007C4F20,?), ref: 008035E6

Strings

SCRIPT, xrefs: 007C42BF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction ID: bc047b3bcfcb8bc9d01cf56bbc71226552b3774464744a5f2c00cbf489c35105
Opcode Fuzzy Hash: 1ee6d77447cd219d20e929bbe9dff02f2452c3e80102016f9d68713d308c1e92
Instruction Fuzzy Hash: 6B117971200700BFEB218BA5DC49F277BBAFBC5B52F20816DB816D62A0DB75D800DA20

Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00882224), ref: 00802C10
ShellExecuteW.SHELL32(00000000,?,?,00882224), ref: 00802C17

Strings

runas, xrefs: 00802C0B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c2a164baaa303c2780b43db4508404e0804ac25bb8911e46108a781bec5159b9
Instruction ID: cbadce0eefe39af43e481c5cdded0b2d91fe8c15ac48121c378e466dc42b696e
Opcode Fuzzy Hash: c2a164baaa303c2780b43db4508404e0804ac25bb8911e46108a781bec5159b9
Instruction Fuzzy Hash: A911D231208341DACB14FF60D85DFAEBBA5FB94310F48442DF192420A3DF2C894A8712

Function 007CD730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007CD807
timeGetTime.WINMM ref: 007CDA07
Sleep.KERNEL32(0000000A), ref: 007CDBB1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 86c5cb96f59177f098f9862ee03a33ce0af133e91b57f7bff42ed477f8d7208b
Instruction ID: 8ec6db029b2263934147f965f486b12ccf2834d0bc8b02479fe64185be12bfa5
Opcode Fuzzy Hash: 86c5cb96f59177f098f9862ee03a33ce0af133e91b57f7bff42ed477f8d7208b
Instruction Fuzzy Hash: 5542AD70608341EFDB35DF24C888FAAB7A5FF85304F14852EE55687291D778AC94CB92

Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0080039A: CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

GetLastError.KERNEL32 ref: 0080076F
__dosmaperr.LIBCMT ref: 00800776
GetFileType.KERNELBASE(00000000), ref: 00800782
GetLastError.KERNEL32 ref: 0080078C
__dosmaperr.LIBCMT ref: 00800795
CloseHandle.KERNEL32(00000000), ref: 008007B5
CloseHandle.KERNEL32(?), ref: 008008FF
GetLastError.KERNEL32 ref: 00800931
__dosmaperr.LIBCMT ref: 00800938

Strings

H, xrefs: 008008BD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction ID: 76461b565d984ef6a90e71f7766223acc16a769d36a058756c863045d39662f6
Opcode Fuzzy Hash: f12c2bdba94906bd693ed0cd2ce33d9df6858d41d45c9b36e884e0cc3316bf0a
Instruction Fuzzy Hash: 24A13632A002488FDF19AF68DC55BAE3BA0FB06324F14415AF815DB3D2DB359912CF92

Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00891418,?,007C2E7F,?,?,?,00000000), ref: 007C3A78

Part of subcall function 007C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008031CE
RegCloseKey.ADVAPI32(?), ref: 00803210
_wcslen.LIBCMT ref: 00803277
_wcslen.LIBCMT ref: 00803286

Strings

\, xrefs: 0080328C
Include, xrefs: 00803184, 008031C5
\Include\, xrefs: 007C3527
Software\AutoIt v3\AutoIt, xrefs: 007C3560

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 2a65889e515c95e85fd32e6f328fe66fa467e8dbf61182c34877296672313600
Instruction ID: f34e1c1a9b4552f75af602e5985a78e26473695cb287f801d2ed79d84cd9e032
Opcode Fuzzy Hash: 2a65889e515c95e85fd32e6f328fe66fa467e8dbf61182c34877296672313600
Instruction Fuzzy Hash: F1716C71505301EEC314EF65EC869ABBBE8FF89340B44452EF545D32B1EB389A48DB62

Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007C2B9D
LoadIconW.USER32(00000063), ref: 007C2BB3
LoadIconW.USER32(000000A4), ref: 007C2BC5
LoadIconW.USER32(000000A2), ref: 007C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007C2BEF
RegisterClassExW.USER32(?), ref: 007C2C40

Part of subcall function 007C2CD4: GetSysColorBrush.USER32(0000000F), ref: 007C2D07
Part of subcall function 007C2CD4: RegisterClassExW.USER32(00000030), ref: 007C2D31
Part of subcall function 007C2CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007C2D42
Part of subcall function 007C2CD4: LoadIconW.USER32(000000A9), ref: 007C2D85

Strings

AutoIt v3, xrefs: 007C2C2F
#, xrefs: 007C2C16
0, xrefs: 007C2C0F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction ID: 5643461955c447aa3e7c3e07ed61d6bcf6bb62529ec538eb7057c4358dda30b2
Opcode Fuzzy Hash: ebb1f9b92a4203b603fed041209b49684bc7dcb26331c05461d338a06bde891a
Instruction Fuzzy Hash: 7B211A70E04319AFDF10AFA9EC59B997FB4FB48B50F08411BE504A67A0D7B90540EF90

Function 007C2CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007C2D07
RegisterClassExW.USER32(00000030), ref: 007C2D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007C2D42
LoadIconW.USER32(000000A9), ref: 007C2D85

Strings

0, xrefs: 007C2CE9
AutoIt v3 GUI, xrefs: 007C2D23
+, xrefs: 007C2CF0
TaskbarCreated, xrefs: 007C2D37

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction ID: 37bf9d576a46a9cb043270db42efa9b5cc69a5cdd284c1c3d9e221916fc79750
Opcode Fuzzy Hash: c56f464fd07a216dc0c55e20c3a9fc8ed6d7bece3386665310a908e3c5f91bcf
Instruction Fuzzy Hash: 9F21B2B5905319AFDF00EFA4EC49B9DBFB4FB08B01F14811AFA11A62A0D7B95544CF91

Function 017CDF00 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 017CDF45

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 00396d21a834ad2dedad4bb9a9d3560c21f08218a25e892cd42053cbf6d81f51
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: E551FC75A50249FBDF20DFA4CC49FDEBB78BF48B00F108558FA59EA1C0DA7496448BA1

Function 007C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007C1CAD,?), ref: 007C2CCF

Strings

AutoIt v3, xrefs: 007C2C89, 007C2C8E, 007C2C8F
edit, xrefs: 007C2CAC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction ID: 122572d6b13ff50bc621053de1057b4ad885caa5a5304f01e7feddc591a9e2ee
Opcode Fuzzy Hash: ac1ae4fb455c1bf6644759a41150ef7ae0ae30780858ed2996971231fef3964f
Instruction Fuzzy Hash: 9FF0DA755443917EEF312727AC0CE772EBDF7CAF51B04005AF904A26A0C6791854EEB0

Function 008EA700 Relevance: 7.7, APIs: 5, Instructions: 207
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 008EA84A
GetProcAddress.KERNEL32(?,008E3FF9), ref: 008EA868
ExitProcess.KERNEL32(?,008E3FF9), ref: 008EA879
VirtualProtect.KERNELBASE(007C0000,00001000,00000004,?,00000000), ref: 008EA8C7
VirtualProtect.KERNELBASE(007C0000,00001000,?,?,?,00000000), ref: 008EA8DC

Memory Dump Source

Source File: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 6d1542817a9bdb356d37fe16b1297f2bbcdb02e2e7cb3f76d35fee02ec3c959d
Instruction ID: 818956bcf84afc7bbd3bfe13c25d6f54b6c9a942c0102661ff3002c5379eeda5
Opcode Fuzzy Hash: 6d1542817a9bdb356d37fe16b1297f2bbcdb02e2e7cb3f76d35fee02ec3c959d
Instruction Fuzzy Hash: 8A5129B2A443965BD728DE79DCC066077A4FB53B247280739C9E2C73C5E7A47C068762

Function 017CF9B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 017CF8A0: Sleep.KERNELBASE(000001F4), ref: 017CF8B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017CFB0B

Strings

F1E2SELYEZ34QCDUESCCY0VLXW, xrefs: 017CFB8B, 017CFB8E

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: CreateFileSleep
String ID: F1E2SELYEZ34QCDUESCCY0VLXW
API String ID: 2694422964-1065262266
Opcode ID: 19e4d25913f06c4eff6f5b433fc0c3887425ed1eaa67f734deec09b520e85571
Instruction ID: 207e7e5c1a2bb1cd4d15a06336527ed5f6e933dc354ce6bb864c9f74b730ba8f
Opcode Fuzzy Hash: 19e4d25913f06c4eff6f5b433fc0c3887425ed1eaa67f734deec09b520e85571
Instruction Fuzzy Hash: 22616130D08248DAEF11DBB4C858BEEBB75AF15704F04459CE2487B2C1D7B91B49CBA5

Function 007C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,007C3B0F,SwapMouseButtons,00000004,?), ref: 007C3B83

Strings

Control Panel\Mouse, xrefs: 007C3B3E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction ID: 18c0af9de58db67b25e2d5d45c0897365addcfb2ec79d1cd9fc069948672e21a
Opcode Fuzzy Hash: 9c8030313db181661d32c067842f3f77f430c98c4195f7efd825a160fab383a0
Instruction Fuzzy Hash: 0D1127B5610208FFDB208FA5DC84EEFBBB8EF04795B10846EB805D7110E235AE409BA0

Function 007CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008132B7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: dc3f5122b018b970b883b06a68c3cdb5b2057244d41427fb7a0e9e8d63cff7ae
Instruction ID: 71d6c66c30a8adbca869514a7f07baf3d1c27886e606a198c0f79f1c725403f7
Opcode Fuzzy Hash: dc3f5122b018b970b883b06a68c3cdb5b2057244d41427fb7a0e9e8d63cff7ae
Instruction Fuzzy Hash: B5C24571A00214DFCB24DF58C884BADB7B5FF18310F24856EE956AB391D379AD81CB91

Function 007C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008033A2

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007C3A04

Strings

Line: , xrefs: 008033EB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 7eee438ef9bcf23b1f134f0b4a16973b90e5a9f89af924d2075c2a6ce636a62e
Instruction ID: 8819eea696ff22caa13f904329a7335340c7115a082d19f31f2670af5a0d4ec2
Opcode Fuzzy Hash: 7eee438ef9bcf23b1f134f0b4a16973b90e5a9f89af924d2075c2a6ce636a62e
Instruction Fuzzy Hash: 6A31C271408301AAD721EB20DC49FEBB7ECBB44714F04892EF59992291DB7CAA48C7C2

Function 007DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0668

Part of subcall function 007E32A4: RaiseException.KERNEL32(?,?,?,007E068A,?,00891444,?,?,?,?,?,?,007E068A,007C1129,00888738,007C1129), ref: 007E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

Strings

Unknown exception, xrefs: 007E0692

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b9a732f339d1fb9e90f0d2163463b3e974ebc1e738862f35fad4af28cbd7e9e4
Instruction ID: 8c0d27525c9208a91f4cb87982e1bd4ab32a0219edb697a197c4835dd280a50a
Opcode Fuzzy Hash: b9a732f339d1fb9e90f0d2163463b3e974ebc1e738862f35fad4af28cbd7e9e4
Instruction Fuzzy Hash: 58F04C3490128DF3CF00B676D84ED5E777DAE04310BA04431F924D6691EFB8DA65C6C0

Function 017CE5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017CE625
ExitProcess.KERNEL32(00000000), ref: 017CE644

Strings

D, xrefs: 017CE5F1

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: 0caef6cfb0a0badfbe33d6bf317486098ec2461d5c58e93910791aa7837c453b
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: 8CF0C975540248ABDB60DFE4CC49FEEB778AB04B01F14850CFA0A9A184DA7496088B61

Function 00847F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 008482F5
TerminateProcess.KERNEL32(00000000), ref: 008482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 008484DD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 35262fb28f3b29be7d4d03b8a4b86485d9ef4512f70bb4fbe4204b744b11438b
Instruction ID: 623915f23a4086d1d853db6e9e33ff4344626fce232997f146859de2950e0c7e
Opcode Fuzzy Hash: 35262fb28f3b29be7d4d03b8a4b86485d9ef4512f70bb4fbe4204b744b11438b
Instruction Fuzzy Hash: B1125871A08345DFC724DF28C484B2ABBE5FF89318F04895DE889CB252DB35E945CB92

Function 007C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
Part of subcall function 007C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Part of subcall function 007C1B4A: RegisterClipboardFormatW.USER32(00000004), ref: 007C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007C136A
OleInitialize.OLE32 ref: 007C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008024AB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: 648db96c1f4162595524f4b7cd22c550c04d569668c18cba72632e12f5743cd9
Instruction ID: edd2bf79495671fb66d00451c9b4c2c1d9e87d2ccf29af1dd76bae969a3e2a5c
Opcode Fuzzy Hash: 648db96c1f4162595524f4b7cd22c550c04d569668c18cba72632e12f5743cd9
Instruction Fuzzy Hash: 2071B7B49193028ECF85FFB9A94DA583BE1FB8834434E822FE51AD7261EB344409CF44

Function 007F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007F85CC,?,00888CC8,0000000C), ref: 007F8704
GetLastError.KERNEL32(?,007F85CC,?,00888CC8,0000000C), ref: 007F870E
__dosmaperr.LIBCMT ref: 007F8739

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction ID: 3073a3774a925ade5aefb2766007471988db13c6d119924614a4fd1bfc997411
Opcode Fuzzy Hash: 667951fa9933c60d698ac04c79d75b9f40f78a9bbbb3a8944b0eb03e8913a3c3
Instruction Fuzzy Hash: EE016B33605A285AC2A07338A84D77E67894F8277DF390119FB14CB3D3DEAC8C818152

Function 007D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007D17F6

Strings

CALL, xrefs: 007D17C6

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 56239767ec0312c2d4d8b13ce76b85babaa9eda98aae120f86ac986f4754e05a
Instruction ID: 170eba3241e4f5feeab7120dc3ac26264de3484d04bde3e3363a1f885dac8afc
Opcode Fuzzy Hash: 56239767ec0312c2d4d8b13ce76b85babaa9eda98aae120f86ac986f4754e05a
Instruction Fuzzy Hash: 7922AB70608201EFC714DF14C484A6ABBF5FF89314F58896EF4968B362D739E895CB92

Function 007C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f581e03c7a8f7e987a57c4a5a8e90964553bcc1df6d5c9502572ca0343bd820b
Instruction ID: 2911a6f6d5dcfe648347823d47dcbb842dc7815cc925c37a7e28ecda6d1ec9ca
Opcode Fuzzy Hash: f581e03c7a8f7e987a57c4a5a8e90964553bcc1df6d5c9502572ca0343bd820b
Instruction Fuzzy Hash: 1E314C705047019FD721EF24D889B97BBF8FB49708F04096EF59987250E779AA44CB52

Function 007C5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 007C5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 00804052

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 87285a83cbefd28ad99c9e4f320182cfbf96b6f5eb0dfabb10542e508ad032a2
Instruction ID: b9949a9906a9d1cb8a4a5c0cc9b1c8492a4018bf54af2f74077197fd30107e99
Opcode Fuzzy Hash: 87285a83cbefd28ad99c9e4f320182cfbf96b6f5eb0dfabb10542e508ad032a2
Instruction Fuzzy Hash: 40015631185725B6E3714A26DC0EF977F58EF027B1F148318BA5C6E1E0C7B95494CB90

Function 007CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007CBB4E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 73e8e770284e2cdbfd20ce25f266b5574f5b97f55095e614e8b52cfe8822ec2d
Instruction ID: 268623ebc21e7483f4b3376d7817008d3fcdd4e8d3ef4fd5f2ca0c7bb4c193a6
Opcode Fuzzy Hash: 73e8e770284e2cdbfd20ce25f266b5574f5b97f55095e614e8b52cfe8822ec2d
Instruction Fuzzy Hash: 1A325770A00209EFDB24DF54C895FAAB7B9FF44314F18805EE915AB361D7B8AD81CB91

Function 0084709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 899bf37f96b25014e8d618a38a1c4023344191380d720f7b05a82c38b5f1eaf5
Instruction ID: 6623c1d3f6b3ff5888dcf1d288235d7540ef6fb09e8b31a91090e4f784ca2a64
Opcode Fuzzy Hash: 899bf37f96b25014e8d618a38a1c4023344191380d720f7b05a82c38b5f1eaf5
Instruction Fuzzy Hash: 85D14935A0420AEFCB14EF98D885DADBBB5FF48314F54405AE905EB391EB34AD81CB91

Function 017CE650 Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

Part of subcall function 017CDEC0: GetFileAttributesW.KERNELBASE(?), ref: 017CDECB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 017CE7A3

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 516061d2a3901029d7a1f462c3b17f0f114a7ce6c6826a2e6b31c4829f33dda1
Instruction ID: efaf641cdfec2477e71b7063b22dfd927411412823ce713d4a4bf595a65a826f
Opcode Fuzzy Hash: 516061d2a3901029d7a1f462c3b17f0f114a7ce6c6826a2e6b31c4829f33dda1
Instruction Fuzzy Hash: F451853191120996EF14EFA0C854BEFB77AEF58700F10956CA609F7290EB399B44C765

Function 007DFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 007DFD1F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b7388a05acd092c146063079422f1be93cc10a186690ebe2202d57e224d96bf6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B731F274A00109DBC718DF69D490969FBB2FF49304B2886A6E80ACB756D735EDD1CBD0

Function 007C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
Part of subcall function 007C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
Part of subcall function 007C4E90: FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EFD

Part of subcall function 007C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
Part of subcall function 007C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
Part of subcall function 007C4E59: FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
Instruction ID: 2ef5f14424b6eed17ece98477c23933e679b092b49d5cdd0444040d6d73d00d4
Opcode Fuzzy Hash: ded36f688c4f8f721d340c7ea0670173cb23ac468248f9ad9572c1f4d52b869e
Instruction Fuzzy Hash: 8D112332600305EADB10EB60DC2AFAD77A5AF40710F10842DF442E61C1EEB9AA449B90

Function 007F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 007F8440

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction ID: 0c977caf22b3412f986230ffa549b95e20432214a39e06f3dc072f595c170273
Opcode Fuzzy Hash: cb488dd69ccc24184284455ac54777f00ae5d3461d38e1c4dfeef1f1dd264e29
Instruction Fuzzy Hash: 5911187590410EAFCB05DF58E9419AE7BF5FF48314F144059F908AB312DB31DA11CBA5

Function 007EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 45546a8bc570fe10392127206bba3d3268b3180ec5b887669ee8dfe662f4a0f5
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: EEF0F932512A54D7C6313B679C09B6A33989F56334F100B15F620932D2DB7CE80285A6

Function 007C9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007C9CBD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction ID: d74d542f555df04f72bdf4a7d9e329ed24ad942bfb3102e77330feca38911b23
Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
Instruction Fuzzy Hash: 82F0A4B3601600AED7249F39D80AF66BBA4EB44760F10852EF61ADB2D1DB75E51086E0

Function 007F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00891444), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction ID: a4fd2732631dac0ff22c91ca100ef3f7b04b8b3c6f3ae6e853b2fbbc473c8a9e
Opcode Fuzzy Hash: 25af23fe168060a7cdc5fa170f32f329af7bbf25080e5fe4683ea8483bc26ef9
Instruction Fuzzy Hash: B2E0E53210526CEAE62126779D08BBA3648AB42BF0F090022BE0592780DB1DDD0191F0

Function 007C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4F6D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
Instruction ID: 5fbd48d89e97c6e2f76f7da1b9427d0e72e52ad64ac658987b502e8432390a92
Opcode Fuzzy Hash: b8691accf1d7ea1b06a1508f3081c44fa4728977a5553eb638d82116deb31764
Instruction Fuzzy Hash: ACF03971105B52CFDB349F64D4A4E22BBE4BF14329328897EE1EA82621CB399844DF10

Function 0082CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0080EE51,00883630,00000002), ref: 0082CD26

Part of subcall function 0082CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0082CD19,?,?,?), ref: 0082CC59
Part of subcall function 0082CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0082CD19,?,?,?,?,0080EE51,00883630,00000002), ref: 0082CC6E
Part of subcall function 0082CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0082CD19,?,?,?,?,0080EE51,00883630,00000002), ref: 0082CC7A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: c94b4b95b0fd29acc758c72f2ffa3e4dbff1e5827f61b32142971fc94a306a81
Instruction ID: 88dfdcc30586e4c75e5556331f4fd7e0b462d3e6eda9c77abb81636c9f8ba110
Opcode Fuzzy Hash: c94b4b95b0fd29acc758c72f2ffa3e4dbff1e5827f61b32142971fc94a306a81
Instruction Fuzzy Hash: FDE06D7A400714EFC7219F8AED008AABBF8FF84361710852FE996C2110D3B5AA54DF60

Function 007C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007C2DC4

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: d701aa78a24bc517e05261061bdbdbd8f16e0f64b9000f72c391208299bbab44
Instruction ID: 4debc470f996a3e11a30a9bd83078f4ffbda616f3686f6456bd38a8e89e70e07
Opcode Fuzzy Hash: d701aa78a24bc517e05261061bdbdbd8f16e0f64b9000f72c391208299bbab44
Instruction Fuzzy Hash: 07E0CD726002245BCB10D6589C09FDA77DDEFC8790F040075FD09E7248DE64AD808551

Function 007C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007C3908

Part of subcall function 007CD730: GetInputState.USER32 ref: 007CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007C2B6B

Part of subcall function 007C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007C314E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 916298041e1fb004ef1226405af083069107e2bad4226d4f58115f07c5d28af2
Instruction ID: 68e163206d2bfc5a02e74e6600c579bcb78b9f39c1e7479f58926ab4ad24cbc1
Opcode Fuzzy Hash: 916298041e1fb004ef1226405af083069107e2bad4226d4f58115f07c5d28af2
Instruction Fuzzy Hash: D2E0262230430486CE04BB70985EFBDB38AABD5311F00443EF14383163CE2C898A4351

Function 017CDEC0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017CDECB

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 3e84695289fe198ef49078c1f203fd5e2aba66a8c848c65befab48a197c88509
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: DFE08C30A05208EBDB30CAE8C814AA9B3A8D71D720F0046ACE906C3680D5318A50DA94

Function 0080039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00800704,?,?,00000000,?,00800704,00000000,0000000C), ref: 008003B7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction ID: 5d050a0c656f8ed9a8026c00e2989806ecdb4d961cbd6743bfefc38030d6a30f
Opcode Fuzzy Hash: d2eb18a98d635a953a0ed2615c65e600c1168331c8264732a9e76fbd7bfa57ac
Instruction Fuzzy Hash: D5D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014040BE1856020C736E821AB90

Function 017CDE90 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 017CDE9B

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 7a0c70ffc12ec2c30a7fffbf9436b900599ca79d67b8c3a77ca5b306d11d30ca
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: ACD05E3090520CABCB20DAE8D80499AB7A89709320F004768ED1583280D531A9409A94

Function 007C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007C1CBC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction ID: ad29ef87f67f7163155c2409e449ff87e6ac1f62e69bf18863f76f80ede139d5
Opcode Fuzzy Hash: 7247f474cee23eaaaf44ee1b64d6a6effc902ddcffec0a35d9e4a20e29bc3c98
Instruction Fuzzy Hash: DAC0923A280305AFF614ABD0BC4EF107764B348B01F488002F60DA96E3D3B62820EA50

Function 0083744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 007C5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,007C949C,?,00008000), ref: 007C5773

GetLastError.KERNEL32(00000002,00000000), ref: 008376DE

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 3359b9341b8eb2c12323b8db8539c0513869a5a05eceebfcc8f91535f53575ce
Instruction ID: 4782a2e0fbda9d376fb435293f59a37ed23de730e41d820ae465cd8735fb7711
Opcode Fuzzy Hash: 3359b9341b8eb2c12323b8db8539c0513869a5a05eceebfcc8f91535f53575ce
Instruction Fuzzy Hash: 44815A70208701DFCB24EF28C4A6B69B7E1FF99314F04451DF8969B2A2DB34E945CB92

Function 017CF89C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017CF8B1

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 76739d5aee513873a2e3b316a448a47b58a388348c41d0a2a9a4f9beab63150e
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 94E0BF7498020EEFDB00EFA8D5496DE7BB4EF04701F1005A5FD05D7681DB309E548A62

Function 007C6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,008024E0), ref: 007C6266

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 72b0c21b444c4ac5040ebdc20aac42df8f15045bd1884db14e308af661fa653b
Instruction ID: 6f5200ee6c1f1185245dea44c9a4ff7fb9ae888be54899e32dbd75b0e8c0e61c
Opcode Fuzzy Hash: 72b0c21b444c4ac5040ebdc20aac42df8f15045bd1884db14e308af661fa653b
Instruction Fuzzy Hash: E4E0BD75800B01CFC3318F1AE844952FBF9FFE13623208A2ED0E692664D3B4688A8F50

Function 017CF8A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 017CF8B1

Memory Dump Source

Source File: 00000000.00000002.1741459454.00000000017CD000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17cd000_tN8GsMV1le.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a0600b8c10cf459329e2a7cc59d56138adcbb436d9c324bfb76cf9a636f9376f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0AE0E67498020EDFDB00EFB8D54969E7FF4EF04701F100165FD01D2281D6309D508A62

Non-executed Functions

Function 00859576 Relevance: 67.1, APIs: 36, Strings: 2, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0085961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008596C9
SendMessageW.USER32 ref: 008596F2
GetKeyState.USER32(00000011), ref: 0085978B
GetKeyState.USER32(00000009), ref: 00859798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008597AE
GetKeyState.USER32(00000010), ref: 008597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008597E9
SendMessageW.USER32 ref: 00859810
SendMessageW.USER32(?,00001030,?,00857E95), ref: 00859918
SetCapture.USER32(?), ref: 0085994A
ClientToScreen.USER32(?,?), ref: 008599AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008599D6
ReleaseCapture.USER32 ref: 008599E1
GetCursorPos.USER32(?), ref: 00859A19
ScreenToClient.USER32(?,?), ref: 00859A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859A80
SendMessageW.USER32 ref: 00859AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859AEB
SendMessageW.USER32 ref: 00859B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00859B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00859B4A
GetCursorPos.USER32(?), ref: 00859B68
ScreenToClient.USER32(?,?), ref: 00859B75
GetParent.USER32(?), ref: 00859B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00859BFA
SendMessageW.USER32 ref: 00859C2B
ClientToScreen.USER32(?,?), ref: 00859C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00859CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00859CDE
SendMessageW.USER32 ref: 00859D01
ClientToScreen.USER32(?,?), ref: 00859D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00859D82

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetWindowLongW.USER32(?,000000F0), ref: 00859E05

Strings

F, xrefs: 00859D07
@GUI_DRAGID, xrefs: 0085997D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F
API String ID: 1312020300-4164748364
Opcode ID: a6d9fa54f27d8997d7fdb9573dcbc3942dcfb5b78e83cf456ca2b3c1cb65645a
Instruction ID: 7495d863705b04013d9cd65f269129a0830b2da7067333c66d2fa462d714347d
Opcode Fuzzy Hash: a6d9fa54f27d8997d7fdb9573dcbc3942dcfb5b78e83cf456ca2b3c1cb65645a
Instruction Fuzzy Hash: 9C428A34204301EFDB21CF64C948AAABBE5FF58356F14061EFA99C72A1E731A958DF41

Function 00854873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00854908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00854927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0085494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0085495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0085497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00854A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00854A7E
IsMenu.USER32(?), ref: 00854A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00854B20
GetWindowLongW.USER32(?,000000F0), ref: 00854B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00854BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00854C82
wsprintfW.USER32 ref: 00854CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00854D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00854D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00854D5A

Strings

%d/%02d/%02d, xrefs: 00854CA8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 511e67e86a4fe07e5b5e73b50bf0712fab09effa147d992e2b1ea7ee342c357f
Instruction ID: d1f01ec65d889646e4bbe05b457d179a2dfe5ac21c69df3b6d093944e8465031
Opcode Fuzzy Hash: 511e67e86a4fe07e5b5e73b50bf0712fab09effa147d992e2b1ea7ee342c357f
Instruction Fuzzy Hash: BB12D271500318AFEB258F28CC49FAE7BF4FF45319F105119F916EA2A1DB789989CB50

Function 007DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 007DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0081F474
IsIconic.USER32(00000000), ref: 0081F47D
ShowWindow.USER32(00000000,00000009), ref: 0081F48A
SetForegroundWindow.USER32(00000000), ref: 0081F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4AA
GetCurrentThreadId.KERNEL32 ref: 0081F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0081F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0081F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0081F4DE
SetForegroundWindow.USER32(00000000), ref: 0081F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F4F6
keybd_event.USER32(00000012,00000000), ref: 0081F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F50B
keybd_event.USER32(00000012,00000000), ref: 0081F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F519
keybd_event.USER32(00000012,00000000), ref: 0081F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0081F528
keybd_event.USER32(00000012,00000000), ref: 0081F52D
SetForegroundWindow.USER32(00000000), ref: 0081F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0081F557

Strings

Shell_TrayWnd, xrefs: 0081F46F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction ID: 4788ae02cdb41e003dd86e4f6a54a942c696b004a71c4ba8466ccbb75e742ea2
Opcode Fuzzy Hash: adc3e80ab14f2537985b3e29ef81caf63afa988af821e34e49eef7232a3576e0
Instruction Fuzzy Hash: 74315D71A40318BFEB216BB55C4AFBF7EADFB44B51F10006AFA01E61D1D6B45940AEA0

Function 00821201 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00821286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008212A8
CloseHandle.KERNEL32(?), ref: 008212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008212D1
GetProcessWindowStation.USER32 ref: 008212EA
SetProcessWindowStation.USER32(00000000), ref: 008212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00821310

Part of subcall function 008210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
Part of subcall function 008210BF: CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Strings

winsta0\default, xrefs: 00821392
, xrefs: 0082125A
default, xrefs: 0082130B
winsta0, xrefs: 008212CC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$winsta0\default
API String ID: 22674027-1685893292
Opcode ID: ad4bab6992e8e4c333a7608cca5ddec34af76030537ba66492d9e7f597cca4f5
Instruction ID: 189d737593fb3265f54c5bf4c5e4f8c9a02d118bdda8bc135b7505aaa275f402
Opcode Fuzzy Hash: ad4bab6992e8e4c333a7608cca5ddec34af76030537ba66492d9e7f597cca4f5
Instruction Fuzzy Hash: 93818C71900318AFDF109FA4EC89BEE7BBAFF14704F244129F915E61A0C7358A84CB65

Function 00820B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820C00
GetLengthSid.ADVAPI32(?), ref: 00820C17
GetAce.ADVAPI32(?,00000000,?), ref: 00820C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820C6D
GetLengthSid.ADVAPI32(?), ref: 00820C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820C8C
RtlAllocateHeap.NTDLL(00000000), ref: 00820C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820CB4
CopySid.ADVAPI32(00000000), ref: 00820CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D45
HeapFree.KERNEL32(00000000), ref: 00820D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D55
HeapFree.KERNEL32(00000000), ref: 00820D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820D65
HeapFree.KERNEL32(00000000), ref: 00820D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00820D78
HeapFree.KERNEL32(00000000), ref: 00820D7F

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction ID: 641ec00acecd121221b228d8797cec1371a6dd794b0a548683ee64548230cec5
Opcode Fuzzy Hash: d54d874cb22441d75da3f9d84193c316e3ba45def43ab320dd0fb61cc4c78d87
Instruction Fuzzy Hash: E671597290131AAFEF10DFA4EC48BAEBBB8FF04311F144615E914E6292D775AA45CF60

Function 0083EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0085CC08), ref: 0083EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0083EB37
GetClipboardData.USER32(0000000D), ref: 0083EB43
CloseClipboard.USER32 ref: 0083EB4F
GlobalLock.KERNEL32(00000000), ref: 0083EB87
CloseClipboard.USER32 ref: 0083EB91
GlobalUnlock.KERNEL32(00000000), ref: 0083EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0083EBC9
GetClipboardData.USER32(00000001), ref: 0083EBD1
GlobalLock.KERNEL32(00000000), ref: 0083EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0083EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0083EC38
GetClipboardData.USER32(0000000F), ref: 0083EC44
GlobalLock.KERNEL32(00000000), ref: 0083EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0083EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0083ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0083ECF3
CountClipboardFormats.USER32 ref: 0083ED14
CloseClipboard.USER32 ref: 0083ED59

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5862151455efb8e80ae78c75f845a36b356b0dc8c467e95d62dbb2cc02c088c6
Instruction ID: e53a546f8c9999e7fcb6413386186fc18c786240257333908dad08d23a8e1097
Opcode Fuzzy Hash: 5862151455efb8e80ae78c75f845a36b356b0dc8c467e95d62dbb2cc02c088c6
Instruction Fuzzy Hash: B6618734204305AFD310EF24D899F6AB7A4FB84715F14455DF856EB2E2CB39E906CBA2

Function 0085911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00859147

Part of subcall function 00857674: ClientToScreen.USER32(?,?), ref: 0085769A
Part of subcall function 00857674: GetWindowRect.USER32(?,?), ref: 00857710
Part of subcall function 00857674: PtInRect.USER32(?,?,00858B89), ref: 00857720

SendMessageW.USER32(?,000000B0,?,?), ref: 008591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00859225
SendMessageW.USER32(?,000000B0,?,?), ref: 0085923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00859255
SendMessageW.USER32(?,000000B1,?,?), ref: 00859277
DragFinish.SHELL32(?), ref: 0085927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00859371

Strings

@GUI_DRAGFILE, xrefs: 00859320
@GUI_DROPID, xrefs: 0085929E
@GUI_DRAGID, xrefs: 008592E9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 4085959399-3440237614
Opcode ID: cb4b72dc6cbcd2e4df785767a9bf7b79336b85daf5776a2429464bae7aa1f5b3
Instruction ID: b9df979530ebeaa32944a4d3e3553421cc417edf425a0381945d297f1595e5ea
Opcode Fuzzy Hash: cb4b72dc6cbcd2e4df785767a9bf7b79336b85daf5776a2429464bae7aa1f5b3
Instruction Fuzzy Hash: 9F616C71108301AFC701EF64DC89EAFBBE9FF89751F40091EF695922A1DB349A49CB52

Function 0083698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008369BE
FindClose.KERNEL32(00000000), ref: 00836A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00836A75

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00836AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00836ADF

Strings

%4d, xrefs: 00836BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00836B6A
%02d, xrefs: 00836C00, 00836C0A, 00836C5A, 00836CAA, 00836CFA, 00836D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00836B32
%03d, xrefs: 00836DA2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 528648045854a9a64c7e711678696cbf469ee43094dac71d9bdfff856e72f670
Instruction ID: 13a79d0c0e8ede26f898829a0e932fa5790bc2b96aec77f9a5c52a65340df2e5
Opcode Fuzzy Hash: 528648045854a9a64c7e711678696cbf469ee43094dac71d9bdfff856e72f670
Instruction Fuzzy Hash: 86D14072508344AEC314EBA4C889EABB7ECFF88704F04491DF585D7291EB78DA44CB62

Function 00839642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00839663
GetFileAttributesW.KERNEL32(?), ref: 008396A1
SetFileAttributesW.KERNEL32(?,?), ref: 008396BB
FindNextFileW.KERNEL32(00000000,?), ref: 008396D3
FindClose.KERNEL32(00000000), ref: 008396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0083974A
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 00839768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00839772
FindClose.KERNEL32(00000000), ref: 0083977F
FindClose.KERNEL32(00000000), ref: 0083978F

Strings

*.*, xrefs: 008396F5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction ID: 8c1203cdcf71c2b285037030e75e581a967151d7c819585205e83cd7fd5d188b
Opcode Fuzzy Hash: 421aa47c148791589dc627f242d3916e2e33d2fd84a34e030788c84d137eb0da
Instruction Fuzzy Hash: 2E31DF3264131AAEDB10AFB4DC49ADE37ACFF89321F104055E955E21A0EBB8DE448E90

Function 0083979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00839819
FindClose.KERNEL32(00000000), ref: 00839824
FindFirstFileW.KERNEL32(*.*,?), ref: 00839840
SetCurrentDirectoryW.KERNEL32(?), ref: 00839890
SetCurrentDirectoryW.KERNEL32(00886B7C), ref: 008398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008398B8
FindClose.KERNEL32(00000000), ref: 008398C5
FindClose.KERNEL32(00000000), ref: 008398D5

Part of subcall function 0082DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0082DB00

Strings

*.*, xrefs: 0083983B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction ID: 449ec07277ee5a4cdeea5c1978d4eee385714cd02eadaa958147d32036fdcebf
Opcode Fuzzy Hash: 6f1178124a721a8f52b334c02247c60d2dafa025c82928853da0e31eff09bea3
Instruction Fuzzy Hash: 3231B33150131D6EDB10AFA4DC48ADE77ACFF86325F104165E990E21A0DBB9DD44CFA0

Function 00838195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00838257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00838267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00838273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00838310
SetCurrentDirectoryW.KERNEL32(?), ref: 00838324
SetCurrentDirectoryW.KERNEL32(?), ref: 00838356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00838395

Strings

*.*, xrefs: 0083839B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: c012daf3be93b75bb081c6a62725340d7cfadb23f7864bec8b3d1010998640e0
Instruction ID: 80521cf6fc8dd3a4c1a98dc36ca99412a0248162cc372135e43c3ebea490ea4e
Opcode Fuzzy Hash: c012daf3be93b75bb081c6a62725340d7cfadb23f7864bec8b3d1010998640e0
Instruction Fuzzy Hash: 336145725043459FCB10EF64D845AAEB3E8FF89314F04892EF989C7251EB39E945CB92

Function 0082D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0082D1DD
MoveFileW.KERNEL32(?,?), ref: 0082D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D237

Part of subcall function 0082D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0082D21C,?,?), ref: 0082D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0082D253
FindClose.KERNEL32(00000000), ref: 0082D264

Strings

\*.*, xrefs: 0082D0CD, 0082D0D6, 0082D0EB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 53be7b2de0f234d80b0f58f123d158bd9774cd0b7520e9e9855055d5fcec932d
Instruction ID: 9fe4b491271b290dcad34dc5d42572d1cca295e1e6d1081bed61c7cd83211849
Opcode Fuzzy Hash: 53be7b2de0f234d80b0f58f123d158bd9774cd0b7520e9e9855055d5fcec932d
Instruction Fuzzy Hash: E4613B3180121DEACF05EBA0E956EEDBBB5FF15305F208169E401B7191EB35AF49CB61

Function 0083ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0083ED91
EmptyClipboard.USER32 ref: 0083ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0083EDAC
CloseClipboard.USER32 ref: 0083EEA3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8a3ad0285dc6578a30760375817dbb3ada58b0cdfd284bb22d55836e2310fca2
Instruction ID: fb1518ab664c1fdc34a772a98ec5f27192b69b53bafff1a7ba1903821226887f
Opcode Fuzzy Hash: 8a3ad0285dc6578a30760375817dbb3ada58b0cdfd284bb22d55836e2310fca2
Instruction Fuzzy Hash: D5415A35604611AFE721DF19D888B2ABBE5FF84319F14809DE4198B6A2C779ED42CBD0

Function 0082E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
Part of subcall function 008216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
Part of subcall function 008216C3: GetLastError.KERNEL32 ref: 0082174A

ExitWindowsEx.USER32(?,00000000), ref: 0082E932

Strings

, xrefs: 0082E920
, xrefs: 0082E95C
SeShutdownPrivilege, xrefs: 0082E902
@, xrefs: 0082E925

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction ID: 5071fd7efcbfa037d2953aaceb0d7643c6aeea112462caad5b8c042c399538a1
Opcode Fuzzy Hash: 8dcf975e2b9081bf01cfdfed69f9e263a867fd40f78e9c567a917a2081925c78
Instruction Fuzzy Hash: E8012672610334AFEF1426B8BC8ABBF765CF714745F150423FC12E21D1E6A45CC08698

Function 00841204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00841276
WSAGetLastError.WS2_32 ref: 00841283
bind.WS2_32(00000000,?,00000010), ref: 008412BA
WSAGetLastError.WS2_32 ref: 008412C5
closesocket.WS2_32(00000000), ref: 008412F4
listen.WS2_32(00000000,00000005), ref: 00841303
WSAGetLastError.WS2_32 ref: 0084130D
closesocket.WS2_32(00000000), ref: 0084133C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ee114477ed51f96e788c5a25685bf25330169b9f89dfd50a8cbc2c02eb8296cd
Instruction ID: e31c1f9b46b11e0b3bc09208e31a0e3681fe6d348abf86600727df05a71ed020
Opcode Fuzzy Hash: ee114477ed51f96e788c5a25685bf25330169b9f89dfd50a8cbc2c02eb8296cd
Instruction Fuzzy Hash: 0F416C316002149FDB10DF64C488B2ABBE5FF46319F18819CE856CB392C775EC81CBA1

Function 00828298 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008282AA

Strings

AddRef, xrefs: 00828581
InterfaceDispatch, xrefs: 00828461
|, xrefs: 008282DA
(, xrefs: 008282F0
QueryInterface, xrefs: 008284F4
Release, xrefs: 008285C9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 334e1117a8f962af93f9658f1542c4421b1c5a31e17dccb8d09b1962c5bba40f
Instruction ID: 5fd54d3f3e2a233959e17e8c95f6f0ab3db150e36e67f9bbeee596cd98948580
Opcode Fuzzy Hash: 334e1117a8f962af93f9658f1542c4421b1c5a31e17dccb8d09b1962c5bba40f
Instruction Fuzzy Hash: 8B323474A01615DFCB28CF59D484A6AB7F0FF48710B15C46EE49ADB3A1EB70E981CB44

Function 0082D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

FindFirstFileW.KERNEL32(?,?), ref: 0082D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0082D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0082D481
FindClose.KERNEL32(00000000), ref: 0082D498
FindClose.KERNEL32(00000000), ref: 0082D4A1

Strings

\*.*, xrefs: 0082D3F2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8878c4efaeb4579f558225a7215ee8c41bf5bd50107d4c0ede958c7ac6a05a26
Instruction ID: 615641e02b6d5943bc765685a787c11ed9b49c04e975da90cbdd587b567bf55b
Opcode Fuzzy Hash: 8878c4efaeb4579f558225a7215ee8c41bf5bd50107d4c0ede958c7ac6a05a26
Instruction Fuzzy Hash: E9318D31008355AFC200EF64D89ADAFBBE8FE91305F404A1DF4D593191EB38AA098B67

Function 007FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007FE645

Strings

1#IND, xrefs: 007FF83D
1#QNAN, xrefs: 007FF84B
1#SNAN, xrefs: 007FF844
1#INF, xrefs: 007FF852

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction ID: 5969104409e1c4813c0d08e527fed1c62a003be1c4700c6778469268557cdac6
Opcode Fuzzy Hash: c5deeb7c77019a7774bbe88b8a3b5b5c4587b165bb169d06e2f2a11e16b92876
Instruction Fuzzy Hash: E9C23972E0862C8FDB25DE289D447EAB7B5EF48304F1441EAD54DE7251EB78AE818F40

Function 0083648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008364DC
CoInitialize.OLE32(00000000), ref: 00836639
CoCreateInstance.COMBASE(0085FCF8,00000000,00000001,0085FB68,?), ref: 00836650
CoUninitialize.COMBASE ref: 008368D4

Strings

.lnk, xrefs: 008364BA, 00836524, 008365E0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 31f2894ce55d5ad20f56e57927791b395bfc06f935320e506ec009d4f67253d9
Instruction ID: 7884699bc9dbb1309ca1fcbc40d1f855f8448ad8baa7ef460a9ca958ba153c3f
Opcode Fuzzy Hash: 31f2894ce55d5ad20f56e57927791b395bfc06f935320e506ec009d4f67253d9
Instruction Fuzzy Hash: 40D13971508201AFC314EF24C885E6BB7E8FF98704F14896DF595CB291EB74E945CBA2

Function 008422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008422E8

Part of subcall function 0083E4EC: GetWindowRect.USER32(?,?), ref: 0083E504

GetDesktopWindow.USER32 ref: 00842312
GetWindowRect.USER32(00000000), ref: 00842319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00842355
GetCursorPos.USER32(?), ref: 00842381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008423DF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction ID: 810de2bb071db58134cd9a79b7a1d84c68972a2eb8331a1207d564cb2832a679
Opcode Fuzzy Hash: dd9985e5f5a9c662794e70c46682f5fa83c8b5e0c6fbeb9c4fe3f70b4ae4e12e
Instruction Fuzzy Hash: 2031DE72508319AFC720DF58D849B5BBBA9FF88314F400919F985D7291DB34EA48CB96

Function 00839B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00839B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00839C8B

Part of subcall function 00833874: GetInputState.USER32 ref: 008338CB
Part of subcall function 00833874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00839BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00839C75

Strings

*.*, xrefs: 00839B5D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 57789a678bfeef2cd05d12d794884c8545b8c53a9f2f46c0c695dda6a5a44b4b
Instruction ID: 69db7511985cfd3faa8176fa24c7d23496105801718cfbc4fbe21910bf6d2b42
Opcode Fuzzy Hash: 57789a678bfeef2cd05d12d794884c8545b8c53a9f2f46c0c695dda6a5a44b4b
Instruction Fuzzy Hash: 1041607190420A9FCF14DF64C889AEEBBB8FF45311F144159E855E2191EB749E85CFA0

Function 007D997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 007D9A4E
GetSysColor.USER32(0000000F), ref: 007D9B23
SetBkColor.GDI32(?,00000000), ref: 007D9B36

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Color$DialogLongNtdllProc_Window
String ID:
API String ID: 1958858920-0
Opcode ID: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction ID: 1b73b3625ebed584ce1ae6604f681e1587e7f5820f09ef493e7543b32790ef7d
Opcode Fuzzy Hash: 9a1fc3f79f46ad1b95f674a0a4bbb3676a9e2d975e24e7bf8a9a3190ed163666
Instruction Fuzzy Hash: 26A1F871208544FEE725AA2C8C5DDBB2ABDFF82340F19421FF602D67D1DA299D41D272

Function 00841806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WS2_32(?), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WS2_32(00000002,00000002,00000011), ref: 0084185D
WSAGetLastError.WS2_32 ref: 00841884
bind.WS2_32(00000000,?,00000010), ref: 008418DB
WSAGetLastError.WS2_32 ref: 008418E6
closesocket.WS2_32(00000000), ref: 00841915

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: cb45130ad59baa3d4e1393182a67fa0e133b4eb07b365f6bfa3cfe061c4dceb6
Instruction ID: 61198057010e9236d6574a5c344dcb625fd313f0edb6d14203b91329a2a66c33
Opcode Fuzzy Hash: cb45130ad59baa3d4e1393182a67fa0e133b4eb07b365f6bfa3cfe061c4dceb6
Instruction Fuzzy Hash: 1951A271A00214AFDB10AF24C88AF2A7BE5EB45718F08805CF9069F3D3CB75AD41CBA1

Function 00851C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00851CC0
IsWindowEnabled.USER32 ref: 00851CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00851CDB
IsIconic.USER32 ref: 00851CE9
IsZoomed.USER32 ref: 00851CF7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f3a908fe42a7a944b9de757fdc867eef502794e802d132f4a39e9c47dcf87350
Instruction ID: a2c8ba8d8b7389793ea3d61c618eb7c2403768451809dc1f898e63d3d1324611
Opcode Fuzzy Hash: f3a908fe42a7a944b9de757fdc867eef502794e802d132f4a39e9c47dcf87350
Instruction Fuzzy Hash: 3B2180317402119FDB218F1AC888F6A7BA5FF95316B19805CEC4ACB351DB76ED46CB90

Function 007C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 007C813C
VUUU, xrefs: 00805DF0
VUUU, xrefs: 007C843C
VUUU, xrefs: 007C83FA
VUUU, xrefs: 007C83E8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction ID: 855aa1bd3fe9e0a5295425c7cbfc0bcbb782bcc33d7bb17cdbd45d181824176f
Opcode Fuzzy Hash: d5db4372e0aee6701f3b6b3dd530d48b965a06d5988562dca25ebcf03d5abf77
Instruction Fuzzy Hash: 23A26D70A0061ACBDFA4CF58C844BAEB7B1FB54310F2481AED815E7285EB749D91CF91

Function 0084A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0084A6BA

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0084A79C
CloseHandle.KERNEL32(00000000), ref: 0084A7AB

Part of subcall function 007DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00803303,?), ref: 007DCE8A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d8855e72a99b6e449a08ab05814fdfda491b5d7c1d4581685b50cbd96ea6e1c4
Instruction ID: 523f56c5f873a8b90e4cba52363b5b4912c4fe2d6dc45e9f15c2af0e2b729e7d
Opcode Fuzzy Hash: d8855e72a99b6e449a08ab05814fdfda491b5d7c1d4581685b50cbd96ea6e1c4
Instruction Fuzzy Hash: 03511971508700AFD714EF24D88AE6BBBE8FF89754F40492DF58597251EB34E904CB92

Function 0082AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0082AAAC
SetKeyboardState.USER32(00000080), ref: 0082AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0082AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0082AB88

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction ID: a02fd9947cc954108be2aa766d480f81aafd8a272a73d776fd8b9a39641ec691
Opcode Fuzzy Hash: 7961dd6c03edbb8bbcabffe87d8a2aaec5cc53b7caf6bcd33daf9b3c5cfc52c7
Instruction Fuzzy Hash: C031E574A40368AFEB398A68AC05BFA7BA6FF54330F04421AE581D61D1D37589C5CB62

Function 007FBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007FBB7F

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

GetTimeZoneInformation.KERNEL32 ref: 007FBB91
WideCharToMultiByte.KERNEL32(00000000,?,0089121C,000000FF,?,0000003F,?,?), ref: 007FBC09
WideCharToMultiByte.KERNEL32(00000000,?,00891270,000000FF,?,0000003F,?,?,?,0089121C,000000FF,?,0000003F,?,?), ref: 007FBC36

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: ddaa046f71b02b5b267c9a814e8565d8a314caa3e4bb9bd44d393852ed44a690
Instruction ID: 6c345f9377ca8592ac555404f0f6a9fe779eeec7171c4f88d76ca16af24d69d3
Opcode Fuzzy Hash: ddaa046f71b02b5b267c9a814e8565d8a314caa3e4bb9bd44d393852ed44a690
Instruction Fuzzy Hash: 4C31AF7094820ADFCF11EFA9DC8487ABBB8FF4575071842AAE261DB3A1D7349D00CB60

Function 00858FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

GetCursorPos.USER32(?), ref: 00859001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00817711,?,?,?,?,?), ref: 00859016
GetCursorPos.USER32(?), ref: 0085905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00817711,?,?,?), ref: 00859094

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction ID: c69c3879374902e2e466c2d9886451ff89435fbb8b47fa7ac6ced40be3fa3961
Opcode Fuzzy Hash: e14fd1bd24b8d8e3f5b4b5ebae8a5a7e80222a81d2d1d94d0521e65e5371bce3
Instruction Fuzzy Hash: 0221BF31600518EFCF268F94CC58EEB7BF9FB89352F044465F945872A1D335A950EB60

Function 0083CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0083CE89
GetLastError.KERNEL32(?,00000000), ref: 0083CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0083CEFE

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
Instruction ID: 5eba52340d0fc9f931780444160074eef5f12488900a4afcc3e2f90fd306d652
Opcode Fuzzy Hash: b535c7682fb65502e2e959284d3cbc0728677a38c14fad6664eeae7ff0868bbd
Instruction Fuzzy Hash: 42219DB1500705DFD720DF65C948BA677F8FB80759F10481EE546E2151EB74EE058BA4

Function 0082DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00805222), ref: 0082DBCE
GetFileAttributesW.KERNEL32(?), ref: 0082DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0082DBEE
FindClose.KERNEL32(00000000), ref: 0082DBFA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction ID: ff9a2ccd413a4dff525b7b8cbdc600ba942d61089b49f7d392c5eb97ffda219b
Opcode Fuzzy Hash: ca123e6a1e36eccb304da8b35d25193fe099bc7dea26776daafd0a8366402a3c
Instruction Fuzzy Hash: ABF0A030810B245B82206B78AC0D8AA3BACFF01336B104702F836D22E0EBB45994CA96

Function 00835C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00835CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00835D17
FindClose.KERNEL32(?), ref: 00835D5F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 19315a11e56456dc13da6fdd5fce954c26f00210c481ee1c1bec4785d44a9191
Instruction ID: 1105f6ec51c421ccc5d586200b0f04816739a7d7706ddbae902bc132fe05ee9f
Opcode Fuzzy Hash: 19315a11e56456dc13da6fdd5fce954c26f00210c481ee1c1bec4785d44a9191
Instruction Fuzzy Hash: B7517675604A019FC714DF28C498E9AB7E4FF89328F14856EE95ACB3A1CB34ED05CB91

Function 007F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 007F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 007F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 007F2731

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction ID: d3409b1ffeda1eb06b8e2ccdcd170fff83586d350365fc7d66be42ba85b96cd4
Opcode Fuzzy Hash: 10ebc894270e1cf23958aa9440172fbd19f18fc6110de857bbe4e9572936bc2f
Instruction Fuzzy Hash: EC31C27490131CEBCB21DF69DC88798BBB8BF08310F5041EAE90CA6261E7749F818F55

Function 008351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00835238
SetErrorMode.KERNEL32(00000000), ref: 008352A1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3017614cd26208f5ee0d7ff95665261f4a420692098b377ab5caf284ab1825f3
Instruction ID: b4a7c69fe31ad45d214a0b248457badc58ee157461de6ac5e7cabe4c04b15324
Opcode Fuzzy Hash: 3017614cd26208f5ee0d7ff95665261f4a420692098b377ab5caf284ab1825f3
Instruction Fuzzy Hash: B6313075A00618DFDB00DF54D888FAEBBB5FF49314F088099E8059B352DB35E856CB91

Function 008216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0668
Part of subcall function 007DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 007E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0082173A
GetLastError.KERNEL32 ref: 0082174A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 4752908ab6e780e0fae67314c4fc3962a1932e82cb5f882bcfe38f648ff0f78f
Instruction ID: c5c4bebdd359da7738e28f175c0f787eef01f1c78b5dbc3fa96756cf843a8d3f
Opcode Fuzzy Hash: 4752908ab6e780e0fae67314c4fc3962a1932e82cb5f882bcfe38f648ff0f78f
Instruction Fuzzy Hash: 1E11C4B1500308AFD7189F54EC8AD6BB7F9FB44714B20852EE05693241EB74BC418A20

Function 0082D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0082D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0082D650

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction ID: 8ca2fb64506ee0136a5deb8e8dc1e0e369a1d18b870986b2ad6dbcb79faf95ea
Opcode Fuzzy Hash: 908b57d00a773d566cfa060b9d8cc19afa5c85d2f184e77ffdfafcfd60531cb1
Instruction Fuzzy Hash: B2115A75A01328BFDB108B94AC44BAFBFBCEB45B50F108111F914E7290C2744A018BE1

Function 00821663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0082168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008216A1
FreeSid.ADVAPI32(?), ref: 008216B1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction ID: 9d117cfbce64223219f6fad3f8e8cda687736454418c79dfb69858b7830316e9
Opcode Fuzzy Hash: 88633034a830d78e39222853eed5c69aae2afe0f298de041f93ca422e5f8d130
Instruction Fuzzy Hash: 30F0F471950309FFDF00DFE49C89AAEBBBCFB08606F504565E501E2181E774AA448A50

Function 007E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D09
TerminateProcess.KERNEL32(00000000,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000,?,007F28E9), ref: 007E4D10
ExitProcess.KERNEL32 ref: 007E4D22

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction ID: 4d675a6f6074e444ac3f4da08f511a38663f9cd9817dd074c722d9faf71263d5
Opcode Fuzzy Hash: a96f1d5e7553ab0fc3254b67230d91c62c2f0c21eb247eb8758fc0829c45234b
Instruction Fuzzy Hash: 0CE09231101688AFCB11AF65DD09A983B69FB85782B104054FA058A222CB39D942CA80

Function 0081D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0081D28C

Strings

X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction ID: 56d72ad8b44ce74ed4dcec98351b227a4968666cccc3ed16a6f493636c2dca3d
Opcode Fuzzy Hash: 3f6fc09f3eb1d1cdebf608075141b4334536ab542e9a732197ccb1418ee70475
Instruction Fuzzy Hash: 7ED0C9B480121DEECF90CB90DC88DD9B3BCFB14305F100152F106E2140D77895488F10

Function 007ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: dbe4d6b337ddd621e0805d54e63a0751eb1e42788515ae04d0a86829f8a7c18f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C0024D76E012599FDF15CFA9C8806ADFBF1FF48314F258169E919EB380D735A9028B90

Function 007D97C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetParent.USER32(?), ref: 008173A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0081742D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: df718de3df36a6db771ce72270df4d368e151cdbb7436308886fb9aa8ccedff5
Instruction ID: 70a4d66e6abbfffae147f5efdd7fd2545d0923b45d3733f55989cadee6d0d97f
Opcode Fuzzy Hash: df718de3df36a6db771ce72270df4d368e151cdbb7436308886fb9aa8ccedff5
Instruction Fuzzy Hash: DD219134604104AFCB259F68CC59DE93BB9FF46370F14425AFA268B3A1D3359D91EA50

Function 008368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00836918
FindClose.KERNEL32(00000000), ref: 00836961

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 58a7cb9e7f025397e480358d3c91c64d0e48f084175e1544cd5bb21d47a2f919
Instruction ID: ad3a254000084adc0876b2f50f9d1c212c33c4a503dc35e345705abc8a4fa975
Opcode Fuzzy Hash: 58a7cb9e7f025397e480358d3c91c64d0e48f084175e1544cd5bb21d47a2f919
Instruction Fuzzy Hash: 7D117C31604200AFC710DF29D488B16BBE5FF85329F14C69DE8698B6A2DB34EC05CB91

Function 008590A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0081769C,?,?,?), ref: 00859111

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 008590F7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: e5ff27802a1eefceaa1ab0d1b2cef7d9318ac9456a95e7ef4612bac8da4562e1
Instruction ID: 634a5533c94c90c696447fa77a1d93c20ebc42451757aa8c3e7225491764eda3
Opcode Fuzzy Hash: e5ff27802a1eefceaa1ab0d1b2cef7d9318ac9456a95e7ef4612bac8da4562e1
Instruction Fuzzy Hash: A301FC30204618EBDB21AF14DC49FA63BB2FB853A6F040069FE814A2E0CB366809DB10

Function 008337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00844891,?,?,00000035,?), ref: 008337F4

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cf303e771c335f8a998dd1aecb0c59463ce16ad55978c9eb5dad978ce7fdc447
Instruction ID: 546a499f8df207b88de0e17828b69375eca521a82fe90ac08822eb561bd65a1f
Opcode Fuzzy Hash: cf303e771c335f8a998dd1aecb0c59463ce16ad55978c9eb5dad978ce7fdc447
Instruction Fuzzy Hash: 30F0E5B06043296AEB6017768C4DFEB3BAEFFC4761F000179F609D2291D9609904CBF0

Function 00859400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00859423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0081776C,?,?,?,?,?), ref: 0085944C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 2d59e98b8b76d31a1f7578cad0f3e48b31d53a4955c0b5267726ab02cc3400b6
Instruction ID: 89bc4721c5e42a89d5a46da3ed1b4d503f76a88266f73a4df4c03403d97a3242
Opcode Fuzzy Hash: 2d59e98b8b76d31a1f7578cad0f3e48b31d53a4955c0b5267726ab02cc3400b6
Instruction Fuzzy Hash: 59F03A72400218FFEF058F91DC09DAE7FB8FB44352F00405AF945A2160D375AA54DBA0

Function 0082B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0082B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0082B270

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction ID: 70e296ba3ac1022db4c4ea49949c0891c8b6b2d659e79fa57c9789c6e2d2e816
Opcode Fuzzy Hash: 7203c404b4134019538a385ef0c67f8396eb36deb092c1b1c0b5e07b5e63e5ab
Instruction Fuzzy Hash: E2F01D7180434DAFDB059FA4D805BAE7FB4FF0830AF008009F955A6192D3798651DF94

Function 008210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008211FC), ref: 008210D4
CloseHandle.KERNEL32(?,?,008211FC), ref: 008210E9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7f377d287a7c8ef99e59127bf605b87461baea169addd93ea9e01d7dbc5cc768
Instruction ID: 8e83b5361f1b60d1c76ef1a3f9c9782daf363eb95e84eaf1fa1c36f7ff5ffe18
Opcode Fuzzy Hash: 7f377d287a7c8ef99e59127bf605b87461baea169addd93ea9e01d7dbc5cc768
Instruction Fuzzy Hash: DCE04F32004B10EEEB252B51FC09E7377A9FB04311B20882EF4A6805B1DB666CD0DB50

Function 0085953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00859542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,008176FB,?,?,?,?), ref: 0085956C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: bb4752645fa1eb246d4c41a6514739c479b80e9034329b302238b579a1a46796
Instruction ID: b1702fe377034296783969d9c527a304a699bc4fe203b7091989b7464cf1dbe1
Opcode Fuzzy Hash: bb4752645fa1eb246d4c41a6514739c479b80e9034329b302238b579a1a46796
Instruction Fuzzy Hash: 43E04630104318BAEB160F19DC0AFB93B58FB00BA2F108119F997980E1E6B59AE4E660

Function 007CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00810C40

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 3ce3a4362f156fdbe075f3cd40e937878c6cfbf9ff7013350554a1d17b2b6d80
Instruction ID: b8f8c33736bc61efb6316647eb3851e7af3d790174372cd01af59c327f49bff3
Opcode Fuzzy Hash: 3ce3a4362f156fdbe075f3cd40e937878c6cfbf9ff7013350554a1d17b2b6d80
Instruction Fuzzy Hash: 3F323671900218EBCF15DF94C885FEDB7B9FF05304F24405DE80AAB292D779AA86DB61

Function 007F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,007F6766,?,?,00000008,?,?,007FFEFE,00000000), ref: 007F6998

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction ID: 6569668c9d9d397e55e9b3cc102d63331883ab5f6ea39449290bbb9682802bfd
Opcode Fuzzy Hash: 96976965fcd31b6f519bf0a073c56310222f5672dcc040bdae502360a404bc10
Instruction Fuzzy Hash: E1B128716106099FD719CF28C48AB657BA0FF45364F25C65CEA9ACF3A2C339E991CB40

Function 007DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0081851F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction ID: 3466f9e085206b3a6971243648f2a1d2a272acfa3cf7fd3807c81a80fc74ca8c
Opcode Fuzzy Hash: ee7103c07059894ae5d0c61919d29b6fe19a2247ad80c6c9f67cd2291da6c6a2
Instruction Fuzzy Hash: C7124C71900229DFCB24CF58C881AEEB7B5FF48710F15819AE849EB355EB349E81DB90

Function 0085A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 0085A38F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: cf1acc894d867cd8f6b77900890d5255c15fde967d2b4262e0e1d42af2cf91dd
Instruction ID: 5fe0fb4d0485a8d7897c9f2325312de6e8dd8981699d958c8706c52b227d2eb2
Opcode Fuzzy Hash: cf1acc894d867cd8f6b77900890d5255c15fde967d2b4262e0e1d42af2cf91dd
Instruction Fuzzy Hash: F31136302042156AFB2D1B2CCC49BBC3A55FB41B6AF144325FD11DA2D2CB645D48D257

Function 008587B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 008587F3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 94463d1fd127222d586514f7b9fe5e5e3f274d8f990ba5650519128d34c855cd
Instruction ID: f3aa9b928954faeb121875b4c15d9fda75b6d4f39faf778fb6e439f8bb417306
Opcode Fuzzy Hash: 94463d1fd127222d586514f7b9fe5e5e3f274d8f990ba5650519128d34c855cd
Instruction Fuzzy Hash: 3AF04F3110410CEFCF05AF94DC54CB93BA5FB08362B048416FD119A561DB32AC60EF50

Function 00858AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00817818,?,?,?,?,?,00000001,?), ref: 00858AF8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 88295949a6ddbd0edf3c5168c26b20f4051d4530188897eb2b679e18d7a57519
Instruction ID: 16d9de09434b8f97f00872153f436808f81680b53dc8ae0d915160b62e9fbcbf
Opcode Fuzzy Hash: 88295949a6ddbd0edf3c5168c26b20f4051d4530188897eb2b679e18d7a57519
Instruction Fuzzy Hash: 9CF08270200229EBDF156F15D80EAAA3F61FB00791F000016FD166A291DBB699A4DBE5

Function 007D9052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 007D9096

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 563b609700a358741df875158af42360a8dece7fd423fad24c4a4d77ef7b61f0
Instruction ID: 803d687be2e4a6ebed10406900dcf5d3c28342ff6e13d93ae664f57cf9ab3281
Opcode Fuzzy Hash: 563b609700a358741df875158af42360a8dece7fd423fad24c4a4d77ef7b61f0
Instruction Fuzzy Hash: AAF0E23020430ADFDF089F11E858A363B72FB813A0F24812EF9120A3E0C7379891EB60

Function 0083EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0083EABD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 006d93583f0d16749fea8e028c0dc12bfde24fae1e326c4ca5a4419806a48571
Instruction ID: d987e6ad258b909dae03e3b3ee334f162fad595c613ccb9e32d7c56a3581d5a1
Opcode Fuzzy Hash: 006d93583f0d16749fea8e028c0dc12bfde24fae1e326c4ca5a4419806a48571
Instruction Fuzzy Hash: 32E01A322002159FC710EF59D809E9AB7E9FFA8760F00841EFC49C7391DA74A8418B90

Function 00859380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 008593C0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c09c6fe72cdcffbd76939833ec09c39ba336a3c681ac92d62145e756b27dce98
Instruction ID: 1c04e3232370d155c5849db7474d17fd351153709eaf20b7e91501e4b531cb0b
Opcode Fuzzy Hash: c09c6fe72cdcffbd76939833ec09c39ba336a3c681ac92d62145e756b27dce98
Instruction Fuzzy Hash: 13F0A931204349AFDB20EF58DC08FC63BA5FB06360F084008BA20672E1CB717924EB60

Function 007D90A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 007D90D5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c0d69b8cb1454e8181e309a28e493e7b8401949a1ba77888a14d3a731dca3bd0
Instruction ID: 102634f2f5c6033d34309de1226a481f9f2f252a0b2dd9fe3497fc0aeabaf3b3
Opcode Fuzzy Hash: c0d69b8cb1454e8181e309a28e493e7b8401949a1ba77888a14d3a731dca3bd0
Instruction Fuzzy Hash: D7E08C30204208FBCF05AF90DC19E643B36FB88390F148019FB051A3A1CA37A961DB10

Function 008593CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00817723,?,?,?,?,?,?), ref: 008593F6

Part of subcall function 00858172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00893018,0089305C), ref: 008581BF
Part of subcall function 00858172: CloseHandle.KERNEL32 ref: 008581D1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: 44ef734b47768aa719911bca0a8a42245ca25f64170797aee0b102ccab8a9007
Instruction ID: 97f1795f5f405329694d0e05d03e231a087ed38736f524eaed6871fa4335ae72
Opcode Fuzzy Hash: 44ef734b47768aa719911bca0a8a42245ca25f64170797aee0b102ccab8a9007
Instruction Fuzzy Hash: D7E04631204209DFCB01AF48DC54E863BB6FB08352F004005FE119B2B2CB32A9A8EF10

Function 007D8BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Part of subcall function 007D8BCD: DestroyWindow.USER32(?), ref: 007D8C81
Part of subcall function 007D8BCD: KillTimer.USER32(00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 007D8BC3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: a6039e210c0484cdc94585da35ae67d8e0e481e86df87dea212981ba64ee9022
Instruction ID: d7b9381aead4f818738bfd51c872406ccf02d86c074e6e8bdf9838a2a3221487
Opcode Fuzzy Hash: a6039e210c0484cdc94585da35ae67d8e0e481e86df87dea212981ba64ee9022
Instruction Fuzzy Hash: 38D012B028030CBBEE513BA1DC0FF493A29EB40791F008022F704792D1CAB664505559

Function 007E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007E03EE), ref: 007E09DA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction ID: 4b289d58ed6846241651945082a97c771a076513493dd050ca59505ecc453a3e
Opcode Fuzzy Hash: 58b9af771e2ca188bea57c2b146403731b525caf99fee8bfdf429199e74383ef
Instruction Fuzzy Hash:

Function 007E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 007E798B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d20d3b89a437ce60f300e36af216d74fff09c1750bbd99148567e1c9af7f25d7
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E751777160F7C59BDB3C856B889E7BE23899F2E340F180519D886CB283CA1DEE41D352

Function 007F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction ID: 8d1415c0e17fe7c24809d06659b54e72ee9fd42b64e0377910cb7435289fed6d
Opcode Fuzzy Hash: 610e053a570f798a8a2ffa9050d003e615fa56b4fba81d478a5092db2b9fae90
Instruction Fuzzy Hash: E2326622D29F454DD7279634CC22335A249BFB73C5F16D737F81AB5AAAEB69C4838100

Function 007DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction ID: 558f59ca05792296efc4bde2406d830102d2dd11313ea56df4543f0a42932f63
Opcode Fuzzy Hash: 5c3e9f35c5e6b671ddba8c16e4d4504c8120f1e6c5e87e7c9a17949c20caee8d
Instruction Fuzzy Hash: 8C321271A8411A8BCF29CE28C4906FD7BB9FF45314F28856BD98ACB291D234DDC1DB51

Function 007C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05650ab591bbcfbd754feafdb68f5d935ebfe1889015c4e34b7e55cd8d1a510a
Instruction ID: 1cb511f9e291a912e35b85d0020bd061200ceb4f2ab9015e5bf701a1d8e7af71
Opcode Fuzzy Hash: 05650ab591bbcfbd754feafdb68f5d935ebfe1889015c4e34b7e55cd8d1a510a
Instruction Fuzzy Hash: D6227CB0A04609DBDF14CFA8D885AAEB7B5FF44300F14452DE816E7291EB3AAD54CF64

Function 007C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deb991c17cdf0a2e1391063d1b2c99e23ea718f595a9ac652af46e558aa6a1b
Instruction ID: 923189a5879ce87944714379cdb0fb087de765304a21c893fcaf168451a9f816
Opcode Fuzzy Hash: 5deb991c17cdf0a2e1391063d1b2c99e23ea718f595a9ac652af46e558aa6a1b
Instruction Fuzzy Hash: CD02C3B1A00209EBDB44DF64DC85BAEB7B1FF44304F108569E946DB3D1EB35AA60CB91

Function 007E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 11a7d0590290f14b716a3450ea77b2777c41190593857819553e80f56ea0afd8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C491997260A0E34ADB29863F853603DFFE15A563A235A079DE4F2CB1C5FE38D954D620

Function 007E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: bfbd99ed2bf3ca4a59d6312b8bbe197e2a4933f05481fa678a265031adf7912c
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FB91657220A0E34ADB2D427B857603DFFE15A963A135A47AED4F3CA1C1FD38D554D620

Function 007E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction ID: cbca08b55e3726d1b66965a8f28016edaecd5df014110778c3408711f9d90cd4
Opcode Fuzzy Hash: 52ddf15903a37f5009b7e07001d006686b85c40c43cbca49ab7037a8aa9e2a19
Instruction Fuzzy Hash: 42618DB160A7C996DA3C992F8C95BBF3398DF4D700F20492DE842CB291D61D9E42C366

Function 007E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction ID: cd4aa90e27dfe2710018755f352da717dcac4fd342adc2214a301464c976b726
Opcode Fuzzy Hash: 61c20ed4cbb62b745bed122d529e757d2ea092871c71529f1f75c13b279ea01e
Instruction Fuzzy Hash: 42618C7130A7C9A6DE3CCA2B4C95BBF2389DF4E704F100959E942DF281DA1EAD42C356

Function 007E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 46f0a54b4f3c58ac6cb6e4740ce65050a7bbe078d11bf0596ebea0b19d85c8df
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F881867260A0E34ADB2D423B857643EFFE15A963B135A079DD4F2CB1C2EE38D554D620

Function 00832046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction ID: ec68498554b605cf039629a24612ed0b9eb664e3e3914c88a43fb8e0b05bb0f5
Opcode Fuzzy Hash: 50c1a38ae5d457dc15b97de159f7575df8f929a98325d2ab8a8a4596eda4d9fb
Instruction Fuzzy Hash: 0B21AB326215118BD72CDE79C82267E73E5F764310F19852EE4A7C77D0DE359904CB80

Function 00842ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00842B30
DeleteObject.GDI32(00000000), ref: 00842B43
DestroyWindow.USER32 ref: 00842B52
GetDesktopWindow.USER32 ref: 00842B6D
GetWindowRect.USER32(00000000), ref: 00842B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00842CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00842CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842CF8
GetClientRect.USER32(00000000,?), ref: 00842D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00842D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D80
GlobalLock.KERNEL32(00000000), ref: 00842D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842D98
GlobalUnlock.KERNEL32(00000000), ref: 00842DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842DA8
GlobalFree.KERNEL32(00000000), ref: 00842DB3
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00842DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,00000000), ref: 00842DDB
GlobalFree.KERNEL32(00000000), ref: 00842DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00842E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00842E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00842E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084303F

Strings

DISPLAY, xrefs: 00842EA2
AutoIt v3, xrefs: 00842CF2
static, xrefs: 00842D3A, 00842E91
, xrefs: 00842FC5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction ID: bac7b0a61116de4fa1221f45754291edfb99ed31310837df42f0f63bb99e4c95
Opcode Fuzzy Hash: 8d9c176df576b11fb12cc5be776d6dd48d6324532d14457f18fb19c54485d619
Instruction Fuzzy Hash: BD023771900209EFDB14DFA4DC89EAE7BB9FB48711F048159F915AB2A1DB78AD01CF60

Function 008570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0085712F
GetSysColorBrush.USER32(0000000F), ref: 00857160
GetSysColor.USER32(0000000F), ref: 0085716C
SetBkColor.GDI32(?,000000FF), ref: 00857186
SelectObject.GDI32(?,?), ref: 00857195
InflateRect.USER32(?,000000FF,000000FF), ref: 008571C0
GetSysColor.USER32(00000010), ref: 008571C8
CreateSolidBrush.GDI32(00000000), ref: 008571CF
FrameRect.USER32(?,?,00000000), ref: 008571DE
DeleteObject.GDI32(00000000), ref: 008571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00857230
FillRect.USER32(?,?,?), ref: 00857262
GetWindowLongW.USER32(?,000000F0), ref: 00857284

Part of subcall function 008573E8: GetSysColor.USER32(00000012), ref: 00857421
Part of subcall function 008573E8: SetTextColor.GDI32(?,?), ref: 00857425
Part of subcall function 008573E8: GetSysColorBrush.USER32(0000000F), ref: 0085743B
Part of subcall function 008573E8: GetSysColor.USER32(0000000F), ref: 00857446
Part of subcall function 008573E8: GetSysColor.USER32(00000011), ref: 00857463
Part of subcall function 008573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
Part of subcall function 008573E8: SelectObject.GDI32(?,00000000), ref: 00857482
Part of subcall function 008573E8: SetBkColor.GDI32(?,00000000), ref: 0085748B
Part of subcall function 008573E8: SelectObject.GDI32(?,?), ref: 00857498
Part of subcall function 008573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
Part of subcall function 008573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
Part of subcall function 008573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: cf4c9166ffe574330998350fc3ffd2ad1491b1cbffa8e1f68296cb7b504372ee
Instruction ID: 613af097dd048f79602dde4377ab3607ecc6dfae2ddd3f88496ef5504128bd9c
Opcode Fuzzy Hash: cf4c9166ffe574330998350fc3ffd2ad1491b1cbffa8e1f68296cb7b504372ee
Instruction Fuzzy Hash: D2A19072008701AFDB019F64DC48A5BBBA9FB49322F104A19F9A2D61E1E779E948CF51

Function 00842711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0084273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00842900
GetClientRect.USER32(00000000,?), ref: 0084290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00842955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00842964
GetStockObject.GDI32(00000011), ref: 00842974
SelectObject.GDI32(00000000,00000000), ref: 00842978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00842988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00842991
DeleteDC.GDI32(00000000), ref: 0084299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00842A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00842A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00842A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00842A77
GetStockObject.GDI32(00000011), ref: 00842A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00842A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00842A97

Strings

DISPLAY, xrefs: 0084295A
AutoIt v3, xrefs: 008428F8
msctls_progress32, xrefs: 00842A13
static, xrefs: 0084294F, 00842A71

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e1c65497e154722f1084a2ec176875f735400a7b85aff5c5ff7855cb48c9e9af
Instruction ID: 6ac38a78566d360cebea23bc96c49bb84e08a12921675d66f08985a8a889a2a9
Opcode Fuzzy Hash: e1c65497e154722f1084a2ec176875f735400a7b85aff5c5ff7855cb48c9e9af
Instruction Fuzzy Hash: 47B13A71A40219AFEB14DF68DC8AFAE7BB9FB08715F004159F915E7290DB78AD40CB90

Function 00834ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834AED
GetDriveTypeW.KERNEL32(?,0085CB68,?,\\.\,0085CC08), ref: 00834BCA
SetErrorMode.KERNEL32(00000000,0085CB68,?,\\.\,0085CC08), ref: 00834D36

Strings

iSCSI, xrefs: 00834CC2
SSD, xrefs: 00834C4A
Fibre, xrefs: 00834CAD
MMC, xrefs: 00834CDE
ATA, xrefs: 00834C98
Network, xrefs: 00834C02
Virtual, xrefs: 00834CE5
SAS, xrefs: 00834CC9
Unknown, xrefs: 00834BED, 00834C83
SCSI, xrefs: 00834C8A
USB, xrefs: 00834CB4
SSA, xrefs: 00834CA6
FileBackedVirtual, xrefs: 00834CEC
\\.\, xrefs: 00834B3F
ATAPI, xrefs: 00834C91
PhysicalDrive, xrefs: 00834B76
Removable, xrefs: 00834C10, 00834C15
RAMDisk, xrefs: 00834BF4
Fixed, xrefs: 00834C09
RAID, xrefs: 00834CBB
1394, xrefs: 00834C9F
CDROM, xrefs: 00834BFB
SATA, xrefs: 00834CD0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9b4aa055393aebb2f51438aef80e27c0a39ec9367af89df8c9e89dc838f02b14
Instruction ID: 855fe11cbfef22b4d75f868a83d3eee09bb7f09193d7fbd345608dd7cf203110
Opcode Fuzzy Hash: 9b4aa055393aebb2f51438aef80e27c0a39ec9367af89df8c9e89dc838f02b14
Instruction Fuzzy Hash: C4619330605209DBCB14EF64CA85D69B7A1FB84304F24A419F816EB752EB3AFD52DBC1

Function 007D8D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00816AC5
6F550200.COMCTL32(?,000000FF,?), ref: 00816AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00816F43

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

SendMessageW.USER32(?,00001053), ref: 00816F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00816F96

Strings

0, xrefs: 00816DCF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$Window$DestroyF550200InvalidateMoveRect
String ID: 0
API String ID: 268457297-4108050209
Opcode ID: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction ID: 7714bac147c9fe0fdeeab4b91ff80050bbffb42616accee3f0715a61dce54d6b
Opcode Fuzzy Hash: c3b5572a834f7ebb10586694c2ab6671e69d7004183675473ba3599cc32d288f
Instruction Fuzzy Hash: 3F129C30204201DFDB65DF24D888BA5BBF9FF44311F58456AE485CB261DB35E8A2DF92

Function 008573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00857421
SetTextColor.GDI32(?,?), ref: 00857425
GetSysColorBrush.USER32(0000000F), ref: 0085743B
GetSysColor.USER32(0000000F), ref: 00857446
CreateSolidBrush.GDI32(?), ref: 0085744B
GetSysColor.USER32(00000011), ref: 00857463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00857471
SelectObject.GDI32(?,00000000), ref: 00857482
SetBkColor.GDI32(?,00000000), ref: 0085748B
SelectObject.GDI32(?,?), ref: 00857498
InflateRect.USER32(?,000000FF,000000FF), ref: 008574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00857554
InflateRect.USER32(?,000000FD,000000FD), ref: 00857572
DrawFocusRect.USER32(?,?), ref: 0085757D
GetSysColor.USER32(00000011), ref: 0085758E
SetTextColor.GDI32(?,00000000), ref: 00857596
DrawTextW.USER32(?,008570F5,000000FF,?,00000000), ref: 008575A8
SelectObject.GDI32(?,?), ref: 008575BF
DeleteObject.GDI32(?), ref: 008575CA
SelectObject.GDI32(?,?), ref: 008575D0
DeleteObject.GDI32(?), ref: 008575D5
SetTextColor.GDI32(?,?), ref: 008575DB
SetBkColor.GDI32(?,?), ref: 008575E5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: f3376bb53dfa6ac1cc055a71dfeaad18f84d3e2ac7882c40d247c728f6d41d66
Instruction ID: 95e4528ffd98773882fec507af1f19da99e66a7dae2ea0ee99f28d6cc61fcd2f
Opcode Fuzzy Hash: f3376bb53dfa6ac1cc055a71dfeaad18f84d3e2ac7882c40d247c728f6d41d66
Instruction Fuzzy Hash: 2B615C72900718AFDF019FA4DC49EAEBFB9FB08362F118115F915AB2A1E7749940CF90

Function 00850FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00851128
GetDesktopWindow.USER32 ref: 0085113D
GetWindowRect.USER32(00000000), ref: 00851144
GetWindowLongW.USER32(?,000000F0), ref: 00851199
DestroyWindow.USER32(?), ref: 008511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00851232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00851245
IsWindowVisible.USER32(00000000), ref: 008512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008512D0
GetWindowRect.USER32(00000000,?), ref: 008512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0085130E
GetMonitorInfoW.USER32(00000000,?), ref: 00851328
CopyRect.USER32(?,?), ref: 0085133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008513AA

Strings

(, xrefs: 0085131B
tooltips_class32, xrefs: 008511E6
0, xrefs: 008510D3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5f13531b0ccb95406abfe7bc435e20a59ec4c9549135424d48e98121665823b7
Instruction ID: 9d0e937be3b844490c2fe1ee3641613475bdcd92d2dae75dcc5c0b340e1c6413
Opcode Fuzzy Hash: 5f13531b0ccb95406abfe7bc435e20a59ec4c9549135424d48e98121665823b7
Instruction Fuzzy Hash: F9B16971604341AFDB04DF64C889B6ABBE4FF88355F00891CF999DB2A1D775E848CB91

Function 007D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D8968
GetSystemMetrics.USER32(00000007), ref: 007D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D899B
GetSystemMetrics.USER32(00000008), ref: 007D89A3
GetSystemMetrics.USER32(00000004), ref: 007D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 007D8A5A
GetStockObject.GDI32(00000011), ref: 007D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 007D8A81

Part of subcall function 007D912D: GetCursorPos.USER32(?), ref: 007D9141
Part of subcall function 007D912D: ScreenToClient.USER32(00000000,?), ref: 007D915E
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000001), ref: 007D9183
Part of subcall function 007D912D: GetAsyncKeyState.USER32(00000002), ref: 007D919D

SetTimer.USER32(00000000,00000000,00000028,007D90FC), ref: 007D8AA8

Strings

AutoIt v3 GUI, xrefs: 007D8A20

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f03ff511d4f47688ceeae06b7aeba3d0955e734045cfe270fe1dce0b3a8a138c
Instruction ID: efa9598c6257c2bc600d8fcf70ab0f4ef601b5a934fce723bd6618383dd9bf6d
Opcode Fuzzy Hash: f03ff511d4f47688ceeae06b7aeba3d0955e734045cfe270fe1dce0b3a8a138c
Instruction Fuzzy Hash: 52B17E75A0020A9FDF14DFA8CC49BAE7BB5FB48315F14422AFA55E7290DB38A840CF51

Function 00820D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
Part of subcall function 008210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
Part of subcall function 008210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
Part of subcall function 008210F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00821136
Part of subcall function 008210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00820DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00820E29
GetLengthSid.ADVAPI32(?), ref: 00820E40
GetAce.ADVAPI32(?,00000000,?), ref: 00820E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00820E96
GetLengthSid.ADVAPI32(?), ref: 00820EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00820EB5
RtlAllocateHeap.NTDLL(00000000), ref: 00820EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00820EDD
CopySid.ADVAPI32(00000000), ref: 00820EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00820F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00820F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00820F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F6E
HeapFree.KERNEL32(00000000), ref: 00820F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F7E
HeapFree.KERNEL32(00000000), ref: 00820F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00820F8E
HeapFree.KERNEL32(00000000), ref: 00820F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00820FA1
HeapFree.KERNEL32(00000000), ref: 00820FA8

Part of subcall function 00821193: GetProcessHeap.KERNEL32(00000008,00820BB1,?,00000000,?,00820BB1,?), ref: 008211A1
Part of subcall function 00821193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 008211A8
Part of subcall function 00821193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00820BB1,?), ref: 008211B7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction ID: e8fd5a8f357dda4ca454edf5055c1e289083482d309abcadce38e1268c6ff566
Opcode Fuzzy Hash: b82d427d22c0f5630cd0f011efd4089353a714539e81240059e0a1e1a129a1dc
Instruction Fuzzy Hash: 4E71587290031AAFDF209FA4ED48BAEBBB8FF04311F144115F959E6192DB359A49CF60

Function 0084C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0085CC08,00000000,?,00000000,?,?), ref: 0084C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0084C5A4
_wcslen.LIBCMT ref: 0084C5F4
_wcslen.LIBCMT ref: 0084C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0084C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0084C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0084C84D
RegCloseKey.ADVAPI32(?), ref: 0084C881
RegCloseKey.ADVAPI32(00000000), ref: 0084C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0084C960

Strings

REG_SZ, xrefs: 0084C644
REG_QWORD, xrefs: 0084C8C3
REG_DWORD, xrefs: 0084C804
REG_BINARY, xrefs: 0084C913
REG_MULTI_SZ, xrefs: 0084C6F5
REG_EXPAND_SZ, xrefs: 0084C5CD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8a5d51ae04628172a889ae8505e336ee6430dfda810ef8a0af60926cdebed14d
Instruction ID: be2dd260acb22fb38b473eb4da6896b001c3d3eb43183bb3858c07a2195cdbe6
Opcode Fuzzy Hash: 8a5d51ae04628172a889ae8505e336ee6430dfda810ef8a0af60926cdebed14d
Instruction Fuzzy Hash: 1D123335604204DFDB54DF14C885E2AB7E9FF88714F14889CF88A9B2A2DB35ED41CB85

Function 0085091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008509C6
_wcslen.LIBCMT ref: 00850A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00850A54
_wcslen.LIBCMT ref: 00850A8A
_wcslen.LIBCMT ref: 00850B06
_wcslen.LIBCMT ref: 00850B81

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

Part of subcall function 00822BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00822BFA

Strings

UNCHECK, xrefs: 00850D3E
SELECT, xrefs: 00850D11
CHECK, xrefs: 00850A85, 00850AA0
EXISTS, xrefs: 00850B7C, 00850B97
GETTEXT, xrefs: 00850C97
GETSELECTED, xrefs: 00850C4E
COLLAPSE, xrefs: 00850B01, 00850B1C
EXPAND, xrefs: 00850BF8
ISCHECKED, xrefs: 00850CE1
GETTOTALCOUNT, xrefs: 008509F2, 00850A17
GETITEMCOUNT, xrefs: 00850C1E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 75cd2214b0511e98eaf3d5cdf070d7bf2619d752b5236af4b25df9aee1b4d284
Instruction ID: 069bf50da15b63899b403c40f4cfe979c524736a96c0bd3eeb07e5e1809b08bc
Opcode Fuzzy Hash: 75cd2214b0511e98eaf3d5cdf070d7bf2619d752b5236af4b25df9aee1b4d284
Instruction Fuzzy Hash: B4E157356083119FC714EF24C49092AB7E2FF98319B14895DF896AB362DB35ED49CF82

Function 0084C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
_wcslen.LIBCMT ref: 0084C9F1
_wcslen.LIBCMT ref: 0084CA68
_wcslen.LIBCMT ref: 0084CA9E
_wcslen.LIBCMT ref: 0084CAF9
_wcslen.LIBCMT ref: 0084CB2F
_wcslen.LIBCMT ref: 0084CB7F

Strings

HKLM, xrefs: 0084CA98, 0084CA9D
HKCR, xrefs: 0084CB29, 0084CB2E
HKCU, xrefs: 0084CBCE
HKU, xrefs: 0084CBF0
HKEY_CURRENT_CONFIG, xrefs: 0084CB79, 0084CB7E
HKEY_LOCAL_MACHINE, xrefs: 0084CA62, 0084CA67
HKEY_CLASSES_ROOT, xrefs: 0084CAF3, 0084CAF8
HKCC, xrefs: 0084CBAC
HKEY_CURRENT_USER, xrefs: 0084CBBD
HKEY_USERS, xrefs: 0084CBDF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 4347bb6bef5f5e41b4d12df90ceff79e39b4ab18f86f4a19969df268d0e80721
Instruction ID: 2466a167981afbf23a6eeb048a47ef226ff5866224fda638ed2ab8feb5e560e5
Opcode Fuzzy Hash: 4347bb6bef5f5e41b4d12df90ceff79e39b4ab18f86f4a19969df268d0e80721
Instruction Fuzzy Hash: 5D71167260212E8BCB60EE7CCD515BE33A9FF60764B250528FC66E7284EA35DD44C7A0

Function 0085833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085835A
_wcslen.LIBCMT ref: 0085836E
_wcslen.LIBCMT ref: 00858391
_wcslen.LIBCMT ref: 008583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0085361A,?), ref: 0085844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00858501
FreeLibrary.KERNEL32(?), ref: 0085850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085851D
DestroyCursor.USER32(?), ref: 0085852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00858549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00858555

Strings

.exe, xrefs: 00858388
.icl, xrefs: 00858368
.dll, xrefs: 008583AB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
String ID: .dll$.exe$.icl
API String ID: 391920613-1154884017
Opcode ID: 6b80c635bc7514e1f2f0d1a31bef26dcc7ff0d059b035c44638812f6fd149d52
Instruction ID: 1dc692e3f9c63079141f89cab4e051a1bed2853b7ff8af6e103b3bc514486003
Opcode Fuzzy Hash: 6b80c635bc7514e1f2f0d1a31bef26dcc7ff0d059b035c44638812f6fd149d52
Instruction Fuzzy Hash: C461AE71500319FEEB149F64CC85BBE77A8FB08B22F10454AFD15E61D1EB78A994CBA0

Function 007C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 007C77D3
#comments-end, xrefs: 007C78D9
#OnAutoItStartRegister, xrefs: 007C7817
Unterminated group of comments, xrefs: 0080528C
#include-once, xrefs: 007C782F
#ce, xrefs: 007C78ED
", xrefs: 00805153
Cannot parse #include, xrefs: 00805279
#cs, xrefs: 007C7873, 007C78C5
#include, xrefs: 007C7847
#comments-start, xrefs: 007C785F, 007C78B1
Bad directive syntax error, xrefs: 0080519A
#requireadmin, xrefs: 007C77FF
', xrefs: 00805169
#notrayicon, xrefs: 007C77E7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8974bf8846ba5e26f113063da5721356b2f16f4092083c4e88a1ca99fd6d60ad
Instruction ID: 329f013c8e33aff447018a4b260cf5543fe9fe30895c5b665ae13ff246ea91d8
Opcode Fuzzy Hash: 8974bf8846ba5e26f113063da5721356b2f16f4092083c4e88a1ca99fd6d60ad
Instruction Fuzzy Hash: 2781D471644609FBDB64AF60CD46FAF37A8FF14300F04402DF915AA296EB78DA15CBA1

Function 00825A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00825A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00825A40
SetWindowTextW.USER32(?,?), ref: 00825A57
GetDlgItem.USER32(?,000003EA), ref: 00825A6C
SetWindowTextW.USER32(00000000,?), ref: 00825A72
GetDlgItem.USER32(?,000003E9), ref: 00825A82
SetWindowTextW.USER32(00000000,?), ref: 00825A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00825AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00825AC3
GetWindowRect.USER32(?,?), ref: 00825ACC
_wcslen.LIBCMT ref: 00825B33
SetWindowTextW.USER32(?,?), ref: 00825B6F
GetDesktopWindow.USER32 ref: 00825B75
GetWindowRect.USER32(00000000), ref: 00825B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00825BD3
GetClientRect.USER32(?,?), ref: 00825BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00825C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00825C2F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction ID: da2a4ff784b034964ab7b0e343dfb26438f3a42255afddad2daab6eb8c45038b
Opcode Fuzzy Hash: 0a276f5aa06b136a5988a4c09130079ca6db8a0b7968c0e205bba207cf1288d1
Instruction Fuzzy Hash: BB718C31900B19AFDB20DFA8DE89AAEBBF5FF48715F104918E542E25A0D774E984CF50

Function 007E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007E00C6

Part of subcall function 007E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0089070C,00000FA0,33F761F6,?,?,?,?,008023B3,000000FF), ref: 007E011C
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008023B3,000000FF), ref: 007E0127
Part of subcall function 007E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008023B3,000000FF), ref: 007E0138
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 007E014E
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 007E015C
Part of subcall function 007E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 007E016A
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E0195
Part of subcall function 007E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007E01A0

___scrt_fastfail.LIBCMT ref: 007E00E7

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

Strings

InitializeConditionVariable, xrefs: 007E0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 007E0122
SleepConditionVariableCS, xrefs: 007E0154
WakeAllConditionVariable, xrefs: 007E0162
kernel32.dll, xrefs: 007E0133

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 02bbdb35c3d3ed2d68af69efc2c4ce18da34455fcbe703bd2598f953fffb6af4
Instruction ID: 5704595f4cea1ef2d04ecadd4c61e76f99e4a50c2358933773f4e1ee9e9e5739
Opcode Fuzzy Hash: 02bbdb35c3d3ed2d68af69efc2c4ce18da34455fcbe703bd2598f953fffb6af4
Instruction Fuzzy Hash: 4F21A732646754AFD7116BA5AC09B6E37B4FB09B62F14012AF911E6391DBBC98408ED0

Function 008230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082318D
_wcslen.LIBCMT ref: 008231F8

Strings

NAME, xrefs: 00823335, 00823346
TEXT, xrefs: 0082347C
CLASSNN, xrefs: 008231F3, 00823204
INSTANCE, xrefs: 00823453
CLASS, xrefs: 00823188, 008231A5
REGEXPCLASS, xrefs: 00823255, 00823266

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: c9cb551b38f6ed039ff2a6b306dcc7f2710a69ed03e04e481a8f7422c4119e23
Instruction ID: d37f5b5df863e973662a72d95a5611262eb30f3f5741d805b2730c2a7fd05f8a
Opcode Fuzzy Hash: c9cb551b38f6ed039ff2a6b306dcc7f2710a69ed03e04e481a8f7422c4119e23
Instruction Fuzzy Hash: 94E1E232A00626EBCB14EFA8D465AEDBBB4FF14714F54811AE556F3240DB38AFC58790

Function 008344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0085CC08), ref: 00834527
_wcslen.LIBCMT ref: 0083453B
_wcslen.LIBCMT ref: 00834599
_wcslen.LIBCMT ref: 008345F4
_wcslen.LIBCMT ref: 0083463F
_wcslen.LIBCMT ref: 008346A7

Part of subcall function 007DF9F2: _wcslen.LIBCMT ref: 007DF9FD

GetDriveTypeW.KERNEL32(?,00886BF0,00000061), ref: 00834743

Strings

ramdisk, xrefs: 008346F1
network, xrefs: 0083469D, 008346A2
cdrom, xrefs: 0083458F, 00834594
removable, xrefs: 008345EA, 008345EF
unknown, xrefs: 00834708
fixed, xrefs: 00834635, 0083463A
all, xrefs: 00834531, 00834536

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9a03655fe780fe2af393963ddb8dcbb0811563a52b9b755aa00470ec546d74c0
Instruction ID: cf47882f041c04211554472462418021f935d3f08fa77f7029befdf8c78dc129
Opcode Fuzzy Hash: 9a03655fe780fe2af393963ddb8dcbb0811563a52b9b755aa00470ec546d74c0
Instruction Fuzzy Hash: 85B110316083029FC710EF28C895A6AB7E5FFE5764F50591DF496C7292E734E844CBA2

Function 0084AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084B1D4
_wcslen.LIBCMT ref: 0084B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084B236
_wcslen.LIBCMT ref: 0084B332

Part of subcall function 008305A7: GetStdHandle.KERNEL32(000000F6), ref: 008305C6

_wcslen.LIBCMT ref: 0084B34B
_wcslen.LIBCMT ref: 0084B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084B3B6
GetLastError.KERNEL32(00000000), ref: 0084B407
CloseHandle.KERNEL32(?), ref: 0084B439
CloseHandle.KERNEL32(00000000), ref: 0084B44A
CloseHandle.KERNEL32(00000000), ref: 0084B45C
CloseHandle.KERNEL32(00000000), ref: 0084B46E
CloseHandle.KERNEL32(?), ref: 0084B4E3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: fadc514cf0cfb48171398b55d46ceafcc3d2b46f0409031b053f9cb4e9b3b1bc
Instruction ID: 67d26ea0b7cf247574ad894151ec6a8a7cdb6b4d58bb11d169c773b28d5663d7
Opcode Fuzzy Hash: fadc514cf0cfb48171398b55d46ceafcc3d2b46f0409031b053f9cb4e9b3b1bc
Instruction Fuzzy Hash: C6F16531608244DFC724EF24C895B2ABBE5FF84314F14855DF8999B2A2CB35EC40CB92

Function 007C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00891990), ref: 00802F8D
GetMenuItemCount.USER32(00891990), ref: 0080303D
GetCursorPos.USER32(?), ref: 00803081
SetForegroundWindow.USER32(00000000), ref: 0080308A
TrackPopupMenuEx.USER32(00891990,00000000,?,00000000,00000000,00000000), ref: 0080309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008030A9

Strings

0, xrefs: 007C327D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 308021bd3d145a16e1964af9e8a1ea759cce1fa4d29240c18f0435be9ce00830
Instruction ID: 858fe4a1ab6d46897904f843d0255b8a38af4c403606ae0e591ec51fc73b42de
Opcode Fuzzy Hash: 308021bd3d145a16e1964af9e8a1ea759cce1fa4d29240c18f0435be9ce00830
Instruction Fuzzy Hash: A1713870640316BEEB218F68DC4DF9ABF68FF04364F20421AF915A61E0C7B5AD10CB50

Function 00856CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00856DEB

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00856E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00856E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856E94
DestroyWindow.USER32(?), ref: 00856EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007C0000,00000000), ref: 00856EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00856EFD
GetDesktopWindow.USER32 ref: 00856F16
GetWindowRect.USER32(00000000), ref: 00856F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00856F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00856F4D

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Strings

tooltips_class32, xrefs: 00856E58, 00856EDD
0, xrefs: 00856D98

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction ID: 234091d1ffdf65cfcecc9ad01ea8c6df89d5ab738ba6ea19db615baa92533b52
Opcode Fuzzy Hash: 633f95788dab64a658ff63a0fd8a6e3982aeaee4b81c52d4c47e79f9f2330755
Instruction Fuzzy Hash: 2F717870504345AFDB21DF18D848FAABBE9FB98306F94051EF989C7260DB74A91ACF11

Function 0083C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0083C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0083C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0083C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0083C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0083C5F0
InternetCloseHandle.WININET(00000000), ref: 0083C5FB

Strings

, xrefs: 0083C575

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction ID: a86021cee42dfcff71bd508984dad9678aa1c3bbfd5620b8809d3aa25f86cb83
Opcode Fuzzy Hash: b2e8e2b4826ad9d462f0fa6bce5c9480974e6fe27e27f174932ef5e4847f9763
Instruction Fuzzy Hash: C15138B1500708BFDB219F64C988AAB7BBCFB88755F00451AF946E6610DB74E944DFA0

Function 0085856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00858592
GetFileSize.KERNEL32(00000000,00000000), ref: 008585A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 008585AD
CloseHandle.KERNEL32(00000000), ref: 008585BA
GlobalLock.KERNEL32(00000000), ref: 008585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 008585D7
GlobalUnlock.KERNEL32(00000000), ref: 008585E0
CloseHandle.KERNEL32(00000000), ref: 008585E7
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008585F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0085FC38,?), ref: 00858611
GlobalFree.KERNEL32(00000000), ref: 00858621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00858641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00858671
DeleteObject.GDI32(00000000), ref: 00858699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008586AF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction ID: 6372ee05ddc3f96681af8d8353cef5d8a9b0e7c0d4b095abf6c02dfeed293cff
Opcode Fuzzy Hash: 28986443417416e9eb61899d6ad1fdd9aefc32d5aa9d0abe95a8d9f9b7d4f5fd
Instruction Fuzzy Hash: 36410775600308EFDB119FA5CC48EAABBB8FF99B16F104059F90AE7260DB349945CF60

Function 008314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00831502
VariantCopy.OLEAUT32(?,?), ref: 0083150B
VariantClear.OLEAUT32(?), ref: 00831517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00831657
VariantInit.OLEAUT32(?), ref: 00831708
SysFreeString.OLEAUT32(?), ref: 0083178C
VariantClear.OLEAUT32(?), ref: 008317D8
VariantClear.OLEAUT32(?), ref: 008317E7
VariantInit.OLEAUT32(00000000), ref: 00831823

Strings

Default, xrefs: 008316AF
%4d%02d%02d%02d%02d%02d, xrefs: 00831625

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 791115399cc9c6c0154238cad26795685490f80b96ede0a64e34946a469957d7
Instruction ID: 5683be3c03ffecb98681da6544804c34960198e479f667bb01ece32e6949bd75
Opcode Fuzzy Hash: 791115399cc9c6c0154238cad26795685490f80b96ede0a64e34946a469957d7
Instruction Fuzzy Hash: 2CD1B171A00219EBDF109F65D88DB79B7B5FF84B04F14845AE806EB280DB38EC45DBA1

Function 0084B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0084B80A
RegCloseKey.ADVAPI32(?), ref: 0084B87E
RegCloseKey.ADVAPI32(?), ref: 0084B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0084B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0084B922
FreeLibrary.KERNEL32(00000000), ref: 0084B983
RegCloseKey.ADVAPI32(00000000), ref: 0084B994

Strings

RegDeleteKeyExW, xrefs: 0084B8FE
advapi32.dll, xrefs: 0084B8ED

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: cd9376666ebc4c34612cbdf61bcc5107f01ce3fc469393328ad831e194cf7858
Instruction ID: 0d022db7736114b4ca8787039d2c3ef67ee60df971509f30600908e32e9679ca
Opcode Fuzzy Hash: cd9376666ebc4c34612cbdf61bcc5107f01ce3fc469393328ad831e194cf7858
Instruction Fuzzy Hash: 11C17B31208245EFD714DF24C499F2ABBE5FF84318F18855CE59A8B2A2CB35ED46CB91

Function 0084255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008425E8
CreateCompatibleDC.GDI32(?), ref: 008425F4
SelectObject.GDI32(00000000,?), ref: 00842601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0084266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008426D0
SelectObject.GDI32(?,?), ref: 008426D8
DeleteObject.GDI32(?), ref: 008426E1
DeleteDC.GDI32(?), ref: 008426E8
ReleaseDC.USER32(00000000,?), ref: 008426F3

Strings

(, xrefs: 0084268D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5c43413ee84e23012ed105bbd59c29d0c68bee394c42e8f78a18f2f0e7793dc1
Instruction ID: d819e80876ad1845c5597e58cb96f3e1e0157af874c4bfc45156416322ecbe84
Opcode Fuzzy Hash: 5c43413ee84e23012ed105bbd59c29d0c68bee394c42e8f78a18f2f0e7793dc1
Instruction Fuzzy Hash: 1461C275D00619EFCF04CFA8D884AAEBBB5FF48310F20852AE955A7250E774A951CF54

Function 007FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 007FDAA1

Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD659
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD66B
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD67D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD68F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6A1
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6B3
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6C5
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6D7
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6E9
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD6FB
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD70D
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD71F
Part of subcall function 007FD63C: _free.LIBCMT ref: 007FD731

_free.LIBCMT ref: 007FDA96

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FDAB8
_free.LIBCMT ref: 007FDACD
_free.LIBCMT ref: 007FDAD8
_free.LIBCMT ref: 007FDAFA
_free.LIBCMT ref: 007FDB0D
_free.LIBCMT ref: 007FDB1B
_free.LIBCMT ref: 007FDB26
_free.LIBCMT ref: 007FDB5E
_free.LIBCMT ref: 007FDB65
_free.LIBCMT ref: 007FDB82
_free.LIBCMT ref: 007FDB9A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction ID: 799829d14c0927f6fe4ddb61f0c2f570c4dafb790b3ec564e3d1d76f330ca4fb
Opcode Fuzzy Hash: a32cb01b92a63c2380454e4c83bf4aaba876aa326e018c79af99fe61a41ea6d6
Instruction Fuzzy Hash: 2A315B71644209DFEB31AA78E849B7A77EAFF00311F114519E648E73A2DA79BC418B24

Function 0082365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0082369C
_wcslen.LIBCMT ref: 008236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00823797
GetClassNameW.USER32(?,?,00000400), ref: 0082380C
GetDlgCtrlID.USER32(?), ref: 0082385D
GetWindowRect.USER32(?,?), ref: 00823882
GetParent.USER32(?), ref: 008238A0
ScreenToClient.USER32(00000000), ref: 008238A7
GetClassNameW.USER32(?,?,00000100), ref: 00823921
GetWindowTextW.USER32(?,?,00000400), ref: 0082395D

Strings

%s%u, xrefs: 00823734

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b1a6c7adbc20b5ce500ba3a9bf4087b96b5fcda8e16dd8c781ecdd183613b225
Instruction ID: 9979dd12483b1417e44b77402b45ae15511227801ef39de92be695d03c182df0
Opcode Fuzzy Hash: b1a6c7adbc20b5ce500ba3a9bf4087b96b5fcda8e16dd8c781ecdd183613b225
Instruction Fuzzy Hash: D791D171204726AFD718DF24D8A5FAAF7E9FF45340F008529F999C2190DB38EA85CB91

Function 00824954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00824994
GetWindowTextW.USER32(?,?,00000400), ref: 008249DA
_wcslen.LIBCMT ref: 008249EB
CharUpperBuffW.USER32(?,00000000), ref: 008249F7
_wcsstr.LIBVCRUNTIME ref: 00824A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00824A64
GetWindowTextW.USER32(?,?,00000400), ref: 00824A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00824AE6
GetClassNameW.USER32(?,?,00000400), ref: 00824B20
GetWindowRect.USER32(?,?), ref: 00824B8B

Strings

ThumbnailClass, xrefs: 00824A6F, 00824AF1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 961df813d9d2433befd25e85c4aa16c1117f94c8d44b9203d9228527d2b0a042
Instruction ID: 15a45442942fa4ad80686347ec42b88f27cfa446d0fbeeebe2c1198aeb70c367
Opcode Fuzzy Hash: 961df813d9d2433befd25e85c4aa16c1117f94c8d44b9203d9228527d2b0a042
Instruction Fuzzy Hash: A391BD7100432A9FDB04DF54E885BAA77E8FF84314F049469FD86DA096EB34ED85CBA1

Function 0084CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0084CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD48

Part of subcall function 0084CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0084CCAA
Part of subcall function 0084CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0084CCBD
Part of subcall function 0084CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0084CCCF
Part of subcall function 0084CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0084CD05
Part of subcall function 0084CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0084CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0084CCF3

Strings

RegDeleteKeyExW, xrefs: 0084CCC9
advapi32.dll, xrefs: 0084CCB8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction ID: 5a3a70278185d0505df676f476b1c4b9e4a69468dbe61879715e0740be9cd488
Opcode Fuzzy Hash: 97d0a2d76dd8784f48c33537185f1c91d91a49f8940922e683c2c2709f459dbe
Instruction Fuzzy Hash: D8318A7190222DBFDB609BA4DC88EFFBB7CFF05751F000165A906E2250DA389A45DAA0

Function 0082E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0082E6B4

Part of subcall function 007DE551: timeGetTime.WINMM(?,?,0082E6D4), ref: 007DE555

Sleep.KERNEL32(0000000A), ref: 0082E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0082E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0082E727
SetActiveWindow.USER32 ref: 0082E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0082E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0082E773
Sleep.KERNEL32(000000FA), ref: 0082E77E
IsWindow.USER32 ref: 0082E78A
EndDialog.USER32(00000000), ref: 0082E79B

Strings

BUTTON, xrefs: 0082E719

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction ID: 7750904e7cf03c79a9a900e97f083272da8c5932e67320f1dc8372e8009db7c3
Opcode Fuzzy Hash: 40603e76ed9141183f64af181ad9181df79d571ffcf7264cc563300a834cc780
Instruction Fuzzy Hash: 5F219370304315BFEB11AFA4FC89A253BA9F77474AF140426F516C16A2DB79AC40DF29

Function 0082E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0082EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0082EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0082EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0082EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0082EAA7

Strings

open , xrefs: 0082EA0C
alias PlayMe, xrefs: 0082EA36
play PlayMe wait, xrefs: 0082EA91
close PlayMe, xrefs: 0082EA6E, 0082EA9B
play PlayMe, xrefs: 0082EAA2
status PlayMe mode, xrefs: 0082EA58

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: dd0350a3d8ffe0d49814a310921e21c1eae7e1860ec0f7f0e5c8df820c2faf7e
Instruction ID: 909c664c36aee1055bccee6e58921691cca18a42e9ca7c5be003a4f512dac22a
Opcode Fuzzy Hash: dd0350a3d8ffe0d49814a310921e21c1eae7e1860ec0f7f0e5c8df820c2faf7e
Instruction Fuzzy Hash: B1114F21A90269B9D720B7A1EC4AEFF6B7CFBD1B40F40042DB811E21D1EA741955C6B0

Function 00825CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00825CE2
GetWindowRect.USER32(00000000,?), ref: 00825CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00825D59
GetDlgItem.USER32(?,00000002), ref: 00825D69
GetWindowRect.USER32(00000000,?), ref: 00825D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00825DCF
GetDlgItem.USER32(?,000003E9), ref: 00825DDD
GetWindowRect.USER32(00000000,?), ref: 00825DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00825E31
GetDlgItem.USER32(?,000003EA), ref: 00825E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00825E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00825E67

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction ID: a825481e42e4ee0583d0b35df4a1637e335da7e1a8ed97395723ffe22a448f53
Opcode Fuzzy Hash: e60f5b204fa3bc6f7c361c2a2b9c15a1571896c9e5d4a240d00f31af1a96171f
Instruction Fuzzy Hash: 5D511C71A40719AFDF18CF68DD89AAEBBB5FB48301F108129F915E6290D774AE40CF50

Function 007D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 007D9944: GetWindowLongW.USER32(?,000000EB), ref: 007D9952

GetSysColor.USER32(0000000F), ref: 007D9862

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction ID: 89a8da4ea17af5fba55641aa0171cca1bb136aaf8ef594253daf6327f1eeacc0
Opcode Fuzzy Hash: 8354f674605d4d9aaa764e2e003c6cf41fb3118096b32c4a92bb75686c21ba59
Instruction Fuzzy Hash: 714173311447449FDB205F389C88BB93B75FB46771F14461AFAA2872E1D7399D41EB10

Function 007F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.~, xrefs: 007F903A, 007F8FD0, 007F8FF2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: .~
API String ID: 0-505086709
Opcode ID: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction ID: 0a6a9fad284a35817a476b5e280936ea8de0462b85be011fc2c4508798c73d06
Opcode Fuzzy Hash: 14a0eeb3614ff5dd77136993b0d492b03b5b7075fc5c244b492a28218ca35f44
Instruction Fuzzy Hash: 84C1D37590424EEFCB11EFA9D845BBDBBB4BF09310F084059E714A7392CB399941CB61

Function 008296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00829717
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829720

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0080F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00829742
LoadStringW.USER32(00000000,?,0080F7F8,00000001), ref: 00829745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00829866

Strings

Line %d:, xrefs: 008297A0
Error: , xrefs: 0082981D
%s (%d) : ==> %s: %s %s, xrefs: 0082984A
^ ERROR, xrefs: 008297FB
Line %d (File "%s"):, xrefs: 0082978F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4d535ac344d5a2d3181d0283bee4757fbe596094cd5aa7def4eb77e760e7dab9
Instruction ID: a63d61bb1e4dcbf13ddcc244630ff7125b06ecf622f86473747527d33cfa57a2
Opcode Fuzzy Hash: 4d535ac344d5a2d3181d0283bee4757fbe596094cd5aa7def4eb77e760e7dab9
Instruction Fuzzy Hash: 13412072900219AADB14FBE0DD4AEEEB778FF15340F10016DF605B2192EA396F58CB61

Function 008206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00820804
CLSIDFromString.COMBASE(?,000001FE), ref: 0082082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00820837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082083C

Strings

\CLSID, xrefs: 00820724
SOFTWARE\Classes\, xrefs: 0082070E
\IPC$, xrefs: 00820784

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f5c5d4fa5982000d08e1d7193464eb8210bb062589fce3ad2e627024dd425f12
Instruction ID: 277844d0c6a75b7824f6206a978221fa0e9c68246054ac012ee4004225347a27
Opcode Fuzzy Hash: f5c5d4fa5982000d08e1d7193464eb8210bb062589fce3ad2e627024dd425f12
Instruction Fuzzy Hash: 9B41E572C10629EBDF11EBA4EC89DEEB778FF04350B144129E915A31A1EB349E44CF90

Function 00843C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00843C5C
CoInitialize.OLE32(00000000), ref: 00843C8A
CoUninitialize.COMBASE ref: 00843C94
_wcslen.LIBCMT ref: 00843D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00843DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00843ED5
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00843F0E
CoGetObject.OLE32(?,00000000,0085FB98,?), ref: 00843F2D
SetErrorMode.KERNEL32(00000000), ref: 00843F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00843FC4
VariantClear.OLEAUT32(?), ref: 00843FD8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 99a6310c6ed069e59236e0e34670a2d03d068edb811483951cf9ac9e704f6661
Instruction ID: 10ed1c152e1e8150ef98d16cf97f3e01085463f68055e0b426330cd43389dd55
Opcode Fuzzy Hash: 99a6310c6ed069e59236e0e34670a2d03d068edb811483951cf9ac9e704f6661
Instruction Fuzzy Hash: 94C10271608309AFD700DF68C884A2AB7E9FF89748F10491DF98ADB251DB31EE05CB52

Function 00837A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00837AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00837B8F
SHGetDesktopFolder.SHELL32(?), ref: 00837BA3
CoCreateInstance.COMBASE(0085FD08,00000000,00000001,00886E6C,?), ref: 00837BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00837C74
CoTaskMemFree.COMBASE(?), ref: 00837CCC
SHBrowseForFolderW.SHELL32(?), ref: 00837D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00837D7A
CoTaskMemFree.COMBASE(00000000), ref: 00837D81
CoTaskMemFree.COMBASE(00000000), ref: 00837DD6
CoUninitialize.COMBASE ref: 00837DDC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: e5e6549654f26a7e177b78005e01e2777b99410b6215c3b2b39afbac83cafac8
Instruction ID: 45703d74833cb90b1a4e78e3331c85caeaaef3ae057fe053bfb3d7d3b36dc2f1
Opcode Fuzzy Hash: e5e6549654f26a7e177b78005e01e2777b99410b6215c3b2b39afbac83cafac8
Instruction Fuzzy Hash: CFC1F975A04209AFCB14DF64C888DAEBBF9FF48314F1484A9E915DB261D734ED45CB90

Function 0085541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00855504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00855515
CharNextW.USER32(00000158), ref: 00855544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00855585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0085559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008555AC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: dc5dd2183ca5108dac87e4c8d1df40eb5dd08f0c9f974be99f6f035fb65fe9e9
Instruction ID: ce0baee2529dc9f555b080a54a6cda9198babec5c233fa2831781b2c68e1b0f9
Opcode Fuzzy Hash: dc5dd2183ca5108dac87e4c8d1df40eb5dd08f0c9f974be99f6f035fb65fe9e9
Instruction Fuzzy Hash: 4861BE74904608EFDF109F94DC94AFE7BB9FB09326F104049F925E7290D7388A88DB60

Function 0081FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0081FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0081FB08
VariantInit.OLEAUT32(?), ref: 0081FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0081FB3A
VariantCopy.OLEAUT32(?,?), ref: 0081FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0081FBA1
VariantClear.OLEAUT32(?), ref: 0081FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0081FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBCC
VariantClear.OLEAUT32(?), ref: 0081FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0081FBE9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8eb5d1484e018941a6cfe70b9792ee4da5f3b3311f22d98fbf4aa89dad720b48
Instruction ID: cf4e7148e3654ce18ab9b46974321c116c9a5858023687b3b6937a2853979c83
Opcode Fuzzy Hash: 8eb5d1484e018941a6cfe70b9792ee4da5f3b3311f22d98fbf4aa89dad720b48
Instruction Fuzzy Hash: AE413075A00219DFCB00DF68C858DEDBBB9FF48355F008069E955E7262C734A946CFA0

Function 00829C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00829CA1
GetAsyncKeyState.USER32(000000A0), ref: 00829D22
GetKeyState.USER32(000000A0), ref: 00829D3D
GetAsyncKeyState.USER32(000000A1), ref: 00829D57
GetKeyState.USER32(000000A1), ref: 00829D6C
GetAsyncKeyState.USER32(00000011), ref: 00829D84
GetKeyState.USER32(00000011), ref: 00829D96
GetAsyncKeyState.USER32(00000012), ref: 00829DAE
GetKeyState.USER32(00000012), ref: 00829DC0
GetAsyncKeyState.USER32(0000005B), ref: 00829DD8
GetKeyState.USER32(0000005B), ref: 00829DEA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction ID: 58ce416ef76860571ea2aabbdc67a421fa7e25b5264796330d426ef78be52059
Opcode Fuzzy Hash: 4495177f3da183ba72ff16683d249c37b8d727e7d6b8a96bb66909db7a7a9e5c
Instruction Fuzzy Hash: 4641D6345047D96DFF308664E8043B5BEE0FF11344F04805EDAC6965C2EBE499C8DBA2

Function 0084055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 008405BC
inet_addr.WS2_32(?), ref: 0084061C
gethostbyname.WS2_32(?), ref: 00840628
IcmpCreateFile.IPHLPAPI ref: 00840636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008407B9
WSACleanup.WS2_32 ref: 008407BF

Strings

Ping, xrefs: 00840676

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 5d622531aac10b9761c2d7ae366adbf820fce7ccae813b5ce57f25bfb0e2f3fe
Instruction ID: 679abf5bfe679ffc303341b132986380dab7af22b02d539f9e44e502d5ff3876
Opcode Fuzzy Hash: 5d622531aac10b9761c2d7ae366adbf820fce7ccae813b5ce57f25bfb0e2f3fe
Instruction Fuzzy Hash: 8E9157356043059FD320DF15C889F1ABBE0FB88318F1585A9E66ADB6A2C735ED41CF92

Function 00848CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00848CF3

Part of subcall function 00828E54: _wcslen.LIBCMT ref: 00828E77

_wcslen.LIBCMT ref: 00848D4E
_wcslen.LIBCMT ref: 00848D9C
_wcslen.LIBCMT ref: 00848DDC
_wcslen.LIBCMT ref: 00848E6E

Strings

stdcall, xrefs: 00848DD6, 00848DDB
winapi, xrefs: 00848D96, 00848D9B
cdecl, xrefs: 00848D48, 00848D4D
none, xrefs: 00848E65, 00848E6A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 24caf6f84a5653eecef26fa6a327bda06b15b5798228ec039653c287c5082365
Instruction ID: cac2f49caa7152924ea0bd40af5d7af20fe5438fc059fd7dea5e2ac9f15f188e
Opcode Fuzzy Hash: 24caf6f84a5653eecef26fa6a327bda06b15b5798228ec039653c287c5082365
Instruction Fuzzy Hash: E6519031A0111ADBCF24EFACC9409BEB7A5FF64724B214229E926E72C5EB35DD40C790

Function 0084372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00843774
CoUninitialize.COMBASE ref: 0084377F
CoCreateInstance.COMBASE(?,00000000,00000017,0085FB78,?), ref: 008437D9
IIDFromString.COMBASE(?,?), ref: 0084384C
VariantInit.OLEAUT32(?), ref: 008438E4
VariantClear.OLEAUT32(?), ref: 00843936

Strings

Failed to create object, xrefs: 008437E4, 0084389A
NULL Pointer assignment, xrefs: 0084381E
Invalid parameter, xrefs: 00843865

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: da03b373e456bc1a4a99e7db9342a30ec1f51758cb1c419bb3853a1b997af35e
Instruction ID: 3abb555afe6fdc8937a07397e016269bd4f1e5401c81806859e4ea36363c6c67
Opcode Fuzzy Hash: da03b373e456bc1a4a99e7db9342a30ec1f51758cb1c419bb3853a1b997af35e
Instruction Fuzzy Hash: 7F616AB0608315AFD310DF54C889B6ABBE8FF49715F100829F995DB291D774EE48CB92

Function 00833388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008333CF

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008333F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00833522
Error: , xrefs: 008334D1
^ ERROR , xrefs: 0083349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00833504
Incorrect parameters to object property !, xrefs: 008334AB
Line %d (File "%s"):, xrefs: 00833443, 0083345C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 0e33f8f8fd28f89fb8a6d65022a900b4a1be6356be717023d97b74963debca99
Instruction ID: abd8cabedb6422c54157ca4a478dbdcfe090c768ebcdebc30cdddb9f1a2ff19e
Opcode Fuzzy Hash: 0e33f8f8fd28f89fb8a6d65022a900b4a1be6356be717023d97b74963debca99
Instruction Fuzzy Hash: A951BE3190020AEADF14EBA0DD4AEEEB7B8FF14340F104169F505B2192EB392F58DB61

Function 0082B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0082B5FC
_wcslen.LIBCMT ref: 0082B608
_wcslen.LIBCMT ref: 0082B64D
_wcslen.LIBCMT ref: 0082B68C
_wcslen.LIBCMT ref: 0082B6C7

Strings

REMOVE, xrefs: 0082B602, 0082B607
KEYS, xrefs: 0082B647, 0082B64C
APPEND, xrefs: 0082B6C1, 0082B6C6
EXISTS, xrefs: 0082B686, 0082B68B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 4fa73142bc8ebec4bd29532979078a46977a01583b6b17192ae01c267c9b965f
Instruction ID: 4af1de377458b904db5fb1ee7578e6c1d393765d68e8528c99939f7488ec2bb3
Opcode Fuzzy Hash: 4fa73142bc8ebec4bd29532979078a46977a01583b6b17192ae01c267c9b965f
Instruction Fuzzy Hash: B741A532A021369BCB206FBD98905BE77A5FB70758B244229E562D7284F735CDC1C790

Function 00835393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00835416
GetLastError.KERNEL32 ref: 00835420
SetErrorMode.KERNEL32(00000000,READY), ref: 008354A7

Strings

READONLY, xrefs: 00835452
READY, xrefs: 00835460, 00835468
INVALID, xrefs: 00835459
NOTREADY, xrefs: 0083544B
UNKNOWN, xrefs: 00835444

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a8906348cf377d79f594873973e295d1b9d2aa8d8b45cbe4061fc98d09322026
Instruction ID: 1c6a831d21927122c3cae6bc8082f60cf8a9117d572e8f6e9990cf660a6c1cf8
Opcode Fuzzy Hash: a8906348cf377d79f594873973e295d1b9d2aa8d8b45cbe4061fc98d09322026
Instruction Fuzzy Hash: 523180B5A006089FC714DF68C488FAABBB4FF85309F148069E905DB292E775DD86CBD1

Function 00853C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00853C79
SetMenu.USER32(?,00000000), ref: 00853C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00853D10
IsMenu.USER32(?), ref: 00853D24
CreatePopupMenu.USER32 ref: 00853D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00853D5B
DrawMenuBar.USER32 ref: 00853D63

Strings

0, xrefs: 00853C54
F, xrefs: 00853D4E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction ID: 5b634b9ff1332377d7e3c97e6f8531e1a76c1122273166e9f8dd85372b5f997e
Opcode Fuzzy Hash: 887ae02a88bd71a121b2cff82650506b25d3eefca3231ebff1208438bbfc3c69
Instruction Fuzzy Hash: 82415775A01309EFDB14CFA4D844BAABBB5FF49392F140029ED46A7360D734AA18CF90

Function 00853A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00853A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00853AA0
GetWindowLongW.USER32(?,000000F0), ref: 00853AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00853AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00853B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00853BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00853BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00853BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00853BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00853C13

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 4c297bd66765a7f36de2be0cf0fd4ebba02bd612666a070477b7c121ed6b2b25
Instruction ID: 39c229bde0c697f8fb87be3bc3fbbd7d2b035bc408bf926c02d46fcaf21aa115
Opcode Fuzzy Hash: 4c297bd66765a7f36de2be0cf0fd4ebba02bd612666a070477b7c121ed6b2b25
Instruction Fuzzy Hash: 1E617875A00208AFDB11DFA8CC85EEEB7B8FB09750F14409AFA15E72A1C774AE45DB50

Function 0082B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B165
GetWindowThreadProcessId.USER32(00000000), ref: 0082B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0082B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0082A1E1,?,00000001), ref: 0082B21D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction ID: 3fbca6b2dc2f573d0c75c1525bed491b914aa24aad457baf715d49fd1b3ff6f5
Opcode Fuzzy Hash: 6f5ca538e1c18e2d5d56aa47f4ff50773ebfaefa1df3285ba931a4293339c1a7
Instruction Fuzzy Hash: A63189B5511714EFDB10AF64EC48B6E7BA9FB61312F14400AFA02D6191D7B89A80CF64

Function 007F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F2C94

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F2CA0
_free.LIBCMT ref: 007F2CAB
_free.LIBCMT ref: 007F2CB6
_free.LIBCMT ref: 007F2CC1
_free.LIBCMT ref: 007F2CCC
_free.LIBCMT ref: 007F2CD7
_free.LIBCMT ref: 007F2CE2
_free.LIBCMT ref: 007F2CED
_free.LIBCMT ref: 007F2CFB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction ID: 148bf57f52749e1f80555ee72404c39cbf539e99d82ee78528d34da244b03d05
Opcode Fuzzy Hash: 7b75c0e7b2429211e8078bde9c561d54c2d89f3ec88833cdb2bd27df62978d69
Instruction Fuzzy Hash: 5A11807614010DEFCB02EF94D886CAD3BA5BF05350F5144A5FA48AB332DA75EA519F90

Function 007C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007C1459
OleUninitialize.OLE32(?,00000000), ref: 007C14F8
UnregisterHotKey.USER32(?), ref: 007C16DD
DestroyWindow.USER32(?), ref: 008024B9
FreeLibrary.KERNEL32(?), ref: 0080251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0080254B

Strings

close all, xrefs: 007C1454

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0df2aa1f845e0a7f7baa84f12d9e7636a18d8ccb03511b01270667d0e11a396e
Instruction ID: 4f998ad388822f8d1dce0816f23c7ba0ddc1379386d95f8d8037e256af11762e
Opcode Fuzzy Hash: 0df2aa1f845e0a7f7baa84f12d9e7636a18d8ccb03511b01270667d0e11a396e
Instruction Fuzzy Hash: C7D16931601212CFCB59EF14C899F29F7A4FF05710F5442ADE94AAB292DB35AD22CF94

Function 00844523 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00844648
VariantInit.OLEAUT32(?), ref: 00844749
VariantClear.OLEAUT32(?), ref: 00844753
VariantClear.OLEAUT32(?), ref: 008447B0

Strings

get__NewEnum, xrefs: 0084454F
Incorrect Object type in FOR..IN loop, xrefs: 0084472C
Null Object assignment in FOR..IN loop, xrefs: 008445D8, 00844706, 008447BE
_NewEnum, xrefs: 00844531

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2610073882-1765764032
Opcode ID: 77d3d6e7c2625df21b518405a592a825771d0c67bcc7b6d3048a6d932a02c80d
Instruction ID: 5498833e78a6addc9177ad3ab499107db2c898db1db8898972eca4d579306ca4
Opcode Fuzzy Hash: 77d3d6e7c2625df21b518405a592a825771d0c67bcc7b6d3048a6d932a02c80d
Instruction Fuzzy Hash: 80918971A0021DABDF20CFA4C888FAEBBB8FF46714F109559E515EB281D7749946CFA0

Function 00837DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00837FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00837FC1
GetFileAttributesW.KERNEL32(?), ref: 00837FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00838005
SetCurrentDirectoryW.KERNEL32(?), ref: 00838017
SetCurrentDirectoryW.KERNEL32(?), ref: 00838060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008380B0

Strings

*.*, xrefs: 00838066

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 560ab8e64a1c5a6133e1a4adcf2cb2fc9a9a05b08bb1965af4cc3a07b458edbb
Instruction ID: 18ea1dee8fadd51b538f60904bdd7673d6c1bf29969d97ac1c4da601d3e05785
Opcode Fuzzy Hash: 560ab8e64a1c5a6133e1a4adcf2cb2fc9a9a05b08bb1965af4cc3a07b458edbb
Instruction Fuzzy Hash: 75817DB2508345DBCB34EF14C894AAAB3E8FBC8714F14486EF885D7250EB79DD458B92

Function 007C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007C5C7A

Part of subcall function 007C5D0A: GetClientRect.USER32(?,?), ref: 007C5D30
Part of subcall function 007C5D0A: GetWindowRect.USER32(?,?), ref: 007C5D71
Part of subcall function 007C5D0A: ScreenToClient.USER32(?,?), ref: 007C5D99

GetDC.USER32 ref: 008046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00804708
SelectObject.GDI32(00000000,00000000), ref: 00804716
SelectObject.GDI32(00000000,00000000), ref: 0080472B
ReleaseDC.USER32(?,00000000), ref: 00804733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008047C4

Strings

U, xrefs: 00804693

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 1aba0fadf681fab32d3f553820585bc3ebdcdb7af29a4d3c418483549390d461
Instruction ID: ce6abef5fbf266bc86b5a3458114e8310efb7b12000445c9182520b3e11f88a4
Opcode Fuzzy Hash: 1aba0fadf681fab32d3f553820585bc3ebdcdb7af29a4d3c418483549390d461
Instruction Fuzzy Hash: DF71F170500209DFCF618F64CD84EBA3BB1FF4A315F185269EE519A2A6D7369881DF60

Function 007FAF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 007FAFAB

Strings

sqrt, xrefs: 007FB12F
log, xrefs: 007FB051, 007FB05D
log10, xrefs: 007FAFF5, 007FB045
exp, xrefs: 007FB070, 007FB0D2
acos, xrefs: 007FB123
pow, xrefs: 007FB08F, 007FB13B, 007FB14E
asin, xrefs: 007FB117

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 99677710c857757d47bcd5228b412fe5acb5fc3641d9319225381b5944adf800
Instruction ID: 3dce46fd30d0ac30935a21c62cfaadc5556ee5263d1301bc3897aaf61ae8f7ea
Opcode Fuzzy Hash: 99677710c857757d47bcd5228b412fe5acb5fc3641d9319225381b5944adf800
Instruction Fuzzy Hash: D3517FB490060EDBCF14DFA8E94C1BDBBB4FF49300F210195E691AB364CB798D289B15

Function 0083359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008335E4

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

LoadStringW.USER32(00892390,?,00000FFF,?), ref: 0083360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00833742
Error: , xrefs: 008336EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00833724
^ ERROR, xrefs: 008336C9
Line %d (File "%s"):, xrefs: 0083366B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2a53e7e1a2bf602e86f08f5509df3c408963896b7ce7a947853f7f5882d99d4c
Instruction ID: ad8d2e08a3e4e001e93e7c25c4fb0c91338eff452f960f4ecd1827d2dde71829
Opcode Fuzzy Hash: 2a53e7e1a2bf602e86f08f5509df3c408963896b7ce7a947853f7f5882d99d4c
Instruction Fuzzy Hash: DF516D7190021AFADF14EBA0DC4AEEDBB78FF14340F144129F515B21A1EB381A98DFA1

Function 00853886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00853925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0085393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00853954
_wcslen.LIBCMT ref: 00853999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008539F4

Strings

-----, xrefs: 008539A7
SysListView32, xrefs: 008538F7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: -----$SysListView32
API String ID: 2147712094-3975388722
Opcode ID: 28f3f1e3df0a48ac58d77027b2f18db20bbc7f4415cac2d71c9dea0d480643d1
Instruction ID: cd63969a9a7897e7bf89b5248c65ba31ff5ede642a17bae90bea9d0bfb493fb5
Opcode Fuzzy Hash: 28f3f1e3df0a48ac58d77027b2f18db20bbc7f4415cac2d71c9dea0d480643d1
Instruction Fuzzy Hash: 21419571A00319ABEF219F64CC49FEA7BA9FF08395F10052AF954E7281D7759E84CB90

Function 0083C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0083C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0083C2CA
GetLastError.KERNEL32 ref: 0083C322
SetEvent.KERNEL32(?), ref: 0083C336
InternetCloseHandle.WININET(00000000), ref: 0083C341

Strings

, xrefs: 0083C2BB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction ID: 6412d31e1343938fdaabcf3b6f47eeed56a73ad4d9907122ef4fa7cea6b2ea44
Opcode Fuzzy Hash: 62069151e0132c7c2778360bfa362ffcb3f4d01cfb748e1ef172c66bccae6949
Instruction Fuzzy Hash: 52314DB1600708AFDB219F65DC88AAB7BFCFB89745F14851DF446E6200DB34DD059BA1

Function 0082989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00803AAF,?,?,Bad directive syntax error,0085CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008298BC
LoadStringW.USER32(00000000,?,00803AAF,?), ref: 008298C3

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00829987

Strings

Line %d:, xrefs: 00829912
Error: , xrefs: 00829955
., xrefs: 0082996D
%s (%d) : ==> %s.: %s %s, xrefs: 008298F1
Line %d (File "%s"):, xrefs: 0082992D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: a0b3b721d6c5070d90cb2f93864b5c6cba194442117540ae686c020135d93942
Instruction ID: ec59cfcd30ed32bce4f2491fa1bd39d6a9e0e23edde665cbc686ab7efa9a5cf8
Opcode Fuzzy Hash: a0b3b721d6c5070d90cb2f93864b5c6cba194442117540ae686c020135d93942
Instruction Fuzzy Hash: AF21803190031AEBCF11AF90DC0AEEE7779FF18304F04445EF529A61A2EB399668CB11

Function 0082209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0082214D

Strings

list, xrefs: 0082212F
SHELLDLL_DefView, xrefs: 008220CC
largeicons, xrefs: 008220E1
details, xrefs: 008220FB
smallicons, xrefs: 00822115

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction ID: 457452c497638deedea74084079feb82a7b57569c9a3c097be2f8d19aad2ccb1
Opcode Fuzzy Hash: a9f5a792dc54f11396f29cd57d1abb4f5c0dd6c7534b22e965e57d3e19e56493
Instruction Fuzzy Hash: 8211277A684716F9F6012221AC0ACE637DCFF18334B200026F704E40D1FF6978A15618

Function 007FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 007FCEB7
_free.LIBCMT ref: 007FCF22
_free.LIBCMT ref: 007FCF48
_free.LIBCMT ref: 007FCF71
_free.LIBCMT ref: 007FCFA9
_free.LIBCMT ref: 007FCFDA
_free.LIBCMT ref: 007FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 007FD09C
_free.LIBCMT ref: 007FD0B5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
Instruction ID: c5f044e4c979612d5c0d8d6c691afa57c06959d708f898b73044ebe8bcbe0b89
Opcode Fuzzy Hash: 7f499602bd6a6e0557cae1bba3f6a1d69fdaddf647049b7ab8035206d1c0cc6a
Instruction Fuzzy Hash: 8361287290430DAFDB22AFB49949679BBE5EF05320F04426EFB41A7382D63D9D019B50

Function 007D8BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D8BE8,?,00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8FC5

DestroyWindow.USER32(?), ref: 007D8C81
KillTimer.USER32(00000000,?,?,?,?,007D8BBA,00000000,?), ref: 007D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00816973
DeleteObject.GDI32(00000000), ref: 008169E6

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction ID: 66c070590683f01a8e02922216fd15755c2179afa99ddbf1d4ee31971ad0d14b
Opcode Fuzzy Hash: 924c510b89e18d7630f5885df56e2fe598f5fa2cd97d91a417e3eca4dfac5c4a
Instruction Fuzzy Hash: B961BE30116711DFCF61AF18D948B69BBF5FF40312F18455EE0869AAA0CB39A8D0CF62

Function 008550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00855186
ShowWindow.USER32(?,00000000), ref: 008551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008551D1

Part of subcall function 00856FBA: DeleteObject.GDI32(00000000), ref: 00856FE6

GetWindowLongW.USER32(?,000000F0), ref: 0085520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0085521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0085524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00855287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00855296

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
Instruction ID: 18ca3a688ade054c403ff73cb2f014919265f0ba615df94e765a9b297b104c4b
Opcode Fuzzy Hash: 33117f2f06b6a3353abfc608c49c1a3258bf50d33af087dc2f586768ece78ee8
Instruction Fuzzy Hash: 4C518F30A90A09BEEF209F24CC69B983BA5FB05367F144016FE15D66E0C775A988DF41

Function 007D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00816890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008168F2
DestroyCursor.USER32(00000000), ref: 00816901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0081691E
DestroyCursor.USER32(00000000), ref: 0081692D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction ID: 35a7f22effe271234a2e4a27f2b0d7205f7cd8c0b0e06e82e41cf8501165d792
Opcode Fuzzy Hash: 6f58edd349530dc4748dd7c2b5755c61b182fa7bd101d4cd3cd32b1d25c521ea
Instruction Fuzzy Hash: 69518AB0600305EFDB20DF28CC95FAA7BB5FF48351F14452AF956D62A0EB74A990DB50

Function 0083C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0083C182
GetLastError.KERNEL32 ref: 0083C195
SetEvent.KERNEL32(?), ref: 0083C1A9

Part of subcall function 0083C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0083C272
Part of subcall function 0083C253: GetLastError.KERNEL32 ref: 0083C322
Part of subcall function 0083C253: SetEvent.KERNEL32(?), ref: 0083C336
Part of subcall function 0083C253: InternetCloseHandle.WININET(00000000), ref: 0083C341

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction ID: 55a03792e8d970f7e1cb8b637689345fc726e385bf9329e2c6fdd7acb07f66be
Opcode Fuzzy Hash: 3c5f5ce8dcd88b892bae7295606955a3dae050b54e8220e570441d1ca6d32710
Instruction Fuzzy Hash: CC317871200705AFDB219FA9DC44A6BBBE9FF98301F00442DF956E6610DB34E814EFA0

Function 008225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00822601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00822605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0082260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00822623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00822627

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction ID: aadd33f229d9ee95b329cb83597e25192174aed9aff3668e8486854835b64916
Opcode Fuzzy Hash: f3729a2411a822b5660c9290ac5975a35eb63dbe1e2289509019801618d7d5ee
Instruction Fuzzy Hash: AE01D431390724BBFB1067689C8AF593F99FB5EB12F100016F318EE1D1C9E624848E6A

Function 00821803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00821449,?,?,00000000), ref: 0082180C
RtlAllocateHeap.NTDLL(00000000,?,00821449), ref: 00821813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821828
GetCurrentProcess.KERNEL32(?,00000000,?,00821449,?,?,00000000), ref: 00821830
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 00821833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00821449,?,?,00000000), ref: 00821843
GetCurrentProcess.KERNEL32(00821449,00000000,?,00821449,?,?,00000000), ref: 0082184B
DuplicateHandle.KERNEL32(00000000,?,00821449,?,?,00000000), ref: 0082184E
CreateThread.KERNEL32(00000000,00000000,00821874,00000000,00000000,00000000), ref: 00821868

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction ID: c9b630d17981d7986f3ee78d21fa1528d1a997e1db6ebe5b7e38d34d8272e93c
Opcode Fuzzy Hash: 21d88d27ecd1774a3c9566dddd3e4035c028c4a0abdc300d2e6ac9c4a8c947a1
Instruction Fuzzy Hash: 9101A8B5680708BFEA10ABA5DC4DF6B7BACFB89B11F404411FA05DB2A1CA749844CF20

Function 0084A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0082D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Part of subcall function 0082D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Part of subcall function 0082D4DC: CloseHandle.KERNEL32(00000000), ref: 0082D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A16D
GetLastError.KERNEL32 ref: 0084A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0084A268
GetLastError.KERNEL32(00000000), ref: 0084A273
CloseHandle.KERNEL32(00000000), ref: 0084A2C4

Strings

SeDebugPrivilege, xrefs: 0084A18F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d2bf16a4aa1f7049c5e7c7b6f76de6feb9a4730d7ced1bd3adf7896e0d868302
Instruction ID: eb6881e024c5b5ab7fe1706f7e8a1a05c455af64474c84fd168dcbb4e315c2f8
Opcode Fuzzy Hash: d2bf16a4aa1f7049c5e7c7b6f76de6feb9a4730d7ced1bd3adf7896e0d868302
Instruction Fuzzy Hash: DD617B312442569FD724DF18C498F2ABBA1FF54318F18848CE4668F7A2C7B6ED45CB92

Function 0082BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0082BCFD
IsMenu.USER32(00000000), ref: 0082BD1D
CreatePopupMenu.USER32 ref: 0082BD53
GetMenuItemCount.USER32(01513990), ref: 0082BDA4
InsertMenuItemW.USER32(01513990,?,00000001,00000030), ref: 0082BDCC

Strings

2, xrefs: 0082BD37
0, xrefs: 0082BCA8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction ID: de5a772d43b379bae56b7f94c523db56320e00e86f5ed700f302b2e3eb224c78
Opcode Fuzzy Hash: f82b0dd104e58dfa16f17663b70b7898024c85092ba4fa8c7d1fbc892f06d1dd
Instruction Fuzzy Hash: BD51AD70A02329ABDB10CFA8E888BEEBBF4FF45354F148159E851D72D1E7749981CB61

Function 007E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 007E2D53
_ValidateLocalCookies.LIBCMT ref: 007E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 007E2E0C
_ValidateLocalCookies.LIBCMT ref: 007E2E61

Strings

&H~, xrefs: 007E2DFE, 007E2E07, 007E2E18
csm, xrefs: 007E2DF6

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H~$csm
API String ID: 1170836740-3418752573
Opcode ID: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction ID: d0d074d5457f3f40d52769fed0f9e79a1335d4f8535167e878daac8cc9d822c1
Opcode Fuzzy Hash: c887d400749ae42c76fbd2a13e09c8f693649b1686cb1ccf9b9b6a8468c5c748
Instruction Fuzzy Hash: CE41A934E02249EBCF10DF59CC49A9EBBB9BF48314F148155E9149B353D7799A12CB90

Function 0082C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0082C913

Strings

warning, xrefs: 0082C8FC
blank, xrefs: 0082C895
stop, xrefs: 0082C8E4
info, xrefs: 0082C8B4
question, xrefs: 0082C8CC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction ID: 72d82e15cff4d987e9a9eb35d4323dcf661ae38b10df57d546cd7a208b041e17
Opcode Fuzzy Hash: 0a87fa9c2af5e981d1ae4a9c41bbbb56ffa1539d5d091f14587f66eeffc7ca9d
Instruction Fuzzy Hash: 26112E3168931ABAE7006B54AC82CBE2B9CFF15324B50403AF500E6281E7A85DC05768

Function 0082ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0082ED2A
_wcslen.LIBCMT ref: 0082ED3B
_wcslen.LIBCMT ref: 0082ED79
_wcslen.LIBCMT ref: 0082EDAF
_wcslen.LIBCMT ref: 0082EDDF
_wcslen.LIBCMT ref: 0082EDEF
_wcslen.LIBCMT ref: 0082EE2B
_wcslen.LIBCMT ref: 0082EE5A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction ID: 7f4806df5adaee17ab1fc8458681e8bf1a51d50b100a644447daaaabd71efa52
Opcode Fuzzy Hash: 0e78d5b186ef999d215e9c1f8564f774860e72f32d783fecbb2b65b12c7c2029
Instruction Fuzzy Hash: F1417266C11258B5CB11EBF5888E9CF77ACFF49710F504462E614E3122EB38E655C3E9

Function 007DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 007DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0081F454

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction ID: a2eac427a6189a2d23532ce8322ffced11f0765e2d626d7494f752f314a3e708
Opcode Fuzzy Hash: 5d780a9bbb6da38b4795f5aa586e4318f437b26760a907e593e278b97cc8f049
Instruction Fuzzy Hash: 3A410870A08780BECB399B2D88A876A7AB5FF55314F14403EE18BD6761C639B8C0CB11

Function 00852D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00852D1B
GetDC.USER32(00000000), ref: 00852D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00852D2E
ReleaseDC.USER32(00000000,00000000), ref: 00852D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00852D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00852D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00855A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00852DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00852DE1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction ID: 465d927982271e0990244e69a0d33e4a28c51290bed385fb4df16cd2400b1a87
Opcode Fuzzy Hash: 43ae84b9a0ef33d9f480f669aefe49aaa1e490f0b73ea10f39db50510924932a
Instruction Fuzzy Hash: 60316B72201714BFEB118F548C8AFEB3FA9FB1A756F044055FE08DA291C6799C50CBA4

Function 00825622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825637
_memcmp.LIBVCRUNTIME ref: 00825659
_memcmp.LIBVCRUNTIME ref: 00825671
_memcmp.LIBVCRUNTIME ref: 00825684
_memcmp.LIBVCRUNTIME ref: 0082569E
_memcmp.LIBVCRUNTIME ref: 008256B1
_memcmp.LIBVCRUNTIME ref: 008256C9
_memcmp.LIBVCRUNTIME ref: 008256E4

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction ID: a538a66cb5c5f305e6b1a26f352b1248adce2ce722fa71f30ce33d0e3e3af508
Opcode Fuzzy Hash: 1bc43a31db38b938d5118ffc1f2be9829304ac0af1234a49ead3301be2818235
Instruction Fuzzy Hash: 5321B371AC2A69BBD2149525AE82FBB235CFF34395F840030FE05DA686F738ED5481A5

Function 00844FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00845007
NULL Pointer assignment, xrefs: 0084502E, 00845383

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3db5e5ee6a25ded876790519b51c7c205613a4e2cd1fbb24a5e3ed85560a8d2d
Instruction ID: 9f11ed61effe3b1202cb7047dc3749c7ef5e5d2999bcd30fffd3d6591bbfc6b6
Opcode Fuzzy Hash: 3db5e5ee6a25ded876790519b51c7c205613a4e2cd1fbb24a5e3ed85560a8d2d
Instruction Fuzzy Hash: 99D18C75A0061EAFDB10CFA8C881BAEB7B5FF48344F148469E915EB282E771DD45CB90

Function 00801522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 008015CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00801651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008016E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 008016FB

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444), ref: 007F3852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00801777
__freea.LIBCMT ref: 008017A2
__freea.LIBCMT ref: 008017AE

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction ID: bb0c76376fce074beb8107cf584df1b6695a30720795a44aae83973b680ad5b2
Opcode Fuzzy Hash: 6340e59447d84d55aa3d9393bb76f65ac0c3860d81051305e6a9022f30376dd6
Instruction Fuzzy Hash: 02919472E0021A9EDF608E64CC89AFE7BB5FF49724F184659E911EB2C5DB25DC40CB60

Function 00831187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0083125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00831284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0083135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00831430

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: a65a068049ace7e3f99c1f7801330a85a73c5532f846ee736ffa366b3127b28a
Instruction ID: db9ad9cf690ed972d5f597f4c563a5db164328cda020265339807434eb02d3fc
Opcode Fuzzy Hash: a65a068049ace7e3f99c1f7801330a85a73c5532f846ee736ffa366b3127b28a
Instruction Fuzzy Hash: 9191D271A002099FDF00DFA8C898BBEB7B5FF84B15F144429E911EB291DB78A941CBD5

Function 007D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction ID: 61d866f9acd12799a97bf74b5ff5cbe1d245edc3120e3526c09602fadbf8fb3f
Opcode Fuzzy Hash: 9b9e114eb9db3d60655231bf17aaae27173a497d8c63be46c8a40e4df4e7dca3
Instruction Fuzzy Hash: 14912971D40219EFCB10CFA9CC88AEEBBB8FF49320F14455AE516B7291D378A951CB60

Function 00843947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0084396B
CharUpperBuffW.USER32(?,?), ref: 00843A7A
_wcslen.LIBCMT ref: 00843A8A
VariantClear.OLEAUT32(?), ref: 00843C1F

Part of subcall function 00830CDF: VariantInit.OLEAUT32(00000000), ref: 00830D1F
Part of subcall function 00830CDF: VariantCopy.OLEAUT32(?,?), ref: 00830D28
Part of subcall function 00830CDF: VariantClear.OLEAUT32(?), ref: 00830D34

Strings

Incorrect Parameter format, xrefs: 008439A6, 00843BA1
AUTOIT.ERROR, xrefs: 00843A80, 00843A85

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: b360bac3b919116c80d33047ed2db6a11c8e92b9619d012bd2a7062b75381984
Instruction ID: e32b35823c0deebf4d2e883ffbf2b600287979f1dac293bcc334f990e347e6ed
Opcode Fuzzy Hash: b360bac3b919116c80d33047ed2db6a11c8e92b9619d012bd2a7062b75381984
Instruction Fuzzy Hash: 139133746083099FC704EF28C48596AB7E5FF88314F14882EF88A9B351DB35EE45CB92

Function 00844BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0082000E: CLSIDFromProgID.COMBASE ref: 0082002B
Part of subcall function 0082000E: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00820046
Part of subcall function 0082000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
Part of subcall function 0082000E: CoTaskMemFree.COMBASE(00000000), ref: 00820064

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00844C51
_wcslen.LIBCMT ref: 00844D59
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 00844DCF
CoTaskMemFree.COMBASE(?), ref: 00844DDA

Strings

NULL Pointer assignment, xrefs: 00844E23, 00844E52

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: ee8409eddcd176fad81a2e419101f3d161de4b3e0ed908ecb75797b694dd2cdf
Instruction ID: aa66dacace15bc8cb718323d6e8f127c38ea22e7319c9290ef5ec586c2490acc
Opcode Fuzzy Hash: ee8409eddcd176fad81a2e419101f3d161de4b3e0ed908ecb75797b694dd2cdf
Instruction Fuzzy Hash: AC910171D0021DEFDF10DFA4D895AEEB7B9FF08314F10816AE915A7251EB34AA458FA0

Function 008520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00852183
GetMenuItemCount.USER32(00000000), ref: 008521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008521DD
_wcslen.LIBCMT ref: 00852213
GetMenuItemID.USER32(?,?), ref: 0085224D
GetSubMenu.USER32(?,?), ref: 0085225B

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008522E3

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 86cbfe6e31c78169f9d3f1819be39778960899f55a505bf36fa127c03fc269f1
Instruction ID: e1be0b351cda687cc9927434cd9ff54796521a583a9b2ed18cf335b4c6d9744d
Opcode Fuzzy Hash: 86cbfe6e31c78169f9d3f1819be39778960899f55a505bf36fa127c03fc269f1
Instruction Fuzzy Hash: 0B718E75A00215EFCB10DF68C885AAEB7F1FF49311F148499E816EB351DB38AE458F90

Function 0082AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0082AEF9
GetKeyboardState.USER32(?), ref: 0082AF0E
SetKeyboardState.USER32(?), ref: 0082AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0082AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0082AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0082AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0082B020

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction ID: f2ab9d4218a2f0ad9c03138c5f79e4d342d687dc55fba7224f845ddc7176608a
Opcode Fuzzy Hash: e01d214a18312f96e23d9ba32c685ca4c431f7e567ce949b479f634b164d66da
Instruction Fuzzy Hash: C951B1A06047E53EFB3A42349945BBA7FE9FF06304F088489E1E5D54C2D7A9ACC4D752

Function 0082ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0082AD19
GetKeyboardState.USER32(?), ref: 0082AD2E
SetKeyboardState.USER32(?), ref: 0082AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0082ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0082ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0082AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0082AE38

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction ID: 8cedbc0c71b72bd2621151c3c16dcbd37962b288b772d8334de72e347d4d7c45
Opcode Fuzzy Hash: 74eaa447a0190d3c1cdf5af005973c15388e4a6c4e1809911fad57c039cf142f
Instruction Fuzzy Hash: 2A51D3A15047E53EFB3A82249C95B7ABEE8FF46300F088489E1D5D68C2D294ECC9D752

Function 007F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00803CD6,?,?,?,?,?,?,?,?,007F5BA3,?,?,00803CD6,?,?), ref: 007F5470
__fassign.LIBCMT ref: 007F54EB
__fassign.LIBCMT ref: 007F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00803CD6,00000005,00000000,00000000), ref: 007F552C
WriteFile.KERNEL32(?,00803CD6,00000000,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F554B
WriteFile.KERNEL32(?,?,00000001,007F5BA3,00000000,?,?,?,?,?,?,?,?,?,007F5BA3,?), ref: 007F5584

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction ID: 8532078c2fd2b5b38892178fcf37f877d779258e6778e88addb82ca513a94113
Opcode Fuzzy Hash: b72c8d1d5839da68faed5349454b5471767cc965807d32cdc4979730b5d5e446
Instruction Fuzzy Hash: 52519F71A006499FDB10CFA8D845AEEBBFAEF09300F14411AE655E7391E634AA51CB60

Function 008410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084304E: inet_addr.WS2_32(?), ref: 0084307A
Part of subcall function 0084304E: _wcslen.LIBCMT ref: 0084309B

socket.WS2_32(00000002,00000001,00000006), ref: 00841112
WSAGetLastError.WS2_32 ref: 00841121
WSAGetLastError.WS2_32 ref: 008411C9
closesocket.WS2_32(00000000), ref: 008411F9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: eadb7250ea3202167d73612e016f212018eb72abb416c1d6499c555d49aada2f
Instruction ID: 554d4639b1706e12f6e5c2f3d32779a1eaee9752efc4d98230802471bbdc4bbd
Opcode Fuzzy Hash: eadb7250ea3202167d73612e016f212018eb72abb416c1d6499c555d49aada2f
Instruction Fuzzy Hash: 5A41D431600208AFDF109F24C889BA9BBE9FF45369F148059F919DB291D774ED81CFA1

Function 0082CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

lstrcmpiW.KERNEL32(?,?), ref: 0082CF45
MoveFileW.KERNEL32(?,?), ref: 0082CF7F
_wcslen.LIBCMT ref: 0082D005
_wcslen.LIBCMT ref: 0082D01B
SHFileOperationW.SHELL32(?), ref: 0082D061

Strings

\*.*, xrefs: 0082CFF3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2109f2629a06ac40e385af27044ed99c2367423613323d68dc2a2a433d81516f
Instruction ID: da0c43342e0f4787e4395c3a453c37198e2cc1ab345bc73e0e74f3883c19175b
Opcode Fuzzy Hash: 2109f2629a06ac40e385af27044ed99c2367423613323d68dc2a2a433d81516f
Instruction Fuzzy Hash: B84155719452299FDF12EBA4DA85EEDB7B8FF08340F1000E6E545EB142EF74A684CB51

Function 00852DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00852E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00852E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00852E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00852EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00852EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00852EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00852F0B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction ID: 2d4f55938f6f6c95453e3dda2d76ab442f5f7f0100582a95d38f22c8cbea5dd2
Opcode Fuzzy Hash: a164dac699f67fb3d9715358ad526d03c0ab5ad91ce94326c2518688dced6dee
Instruction Fuzzy Hash: 2D31F230604255AFDB21DF58EC8AF653BE1FB9A712F5901A5F901CB2B2CB71B8449B41

Function 00827726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082778F
SysAllocString.OLEAUT32(00000000), ref: 00827792
SysAllocString.OLEAUT32(?), ref: 008277B0
SysFreeString.OLEAUT32(?), ref: 008277B9
StringFromGUID2.COMBASE(?,?,00000028), ref: 008277DE
SysAllocString.OLEAUT32(?), ref: 008277EC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f78012cc14d6843d8cf2c2d8de309b8c6aca3627fdc816c675bd41c29498f419
Instruction ID: e4fba6bcbcef34ad428fdebeb9315c039c077e5dccea0f0951a0599ff386c2d7
Opcode Fuzzy Hash: f78012cc14d6843d8cf2c2d8de309b8c6aca3627fdc816c675bd41c29498f419
Instruction Fuzzy Hash: 22219076604329AFDB10DFA9DC88CBB77ACFB097647448025FA15DB290D674DC818B64

Function 008277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00827868
SysAllocString.OLEAUT32(00000000), ref: 0082786B
SysAllocString.OLEAUT32 ref: 0082788C
SysFreeString.OLEAUT32 ref: 00827895
StringFromGUID2.COMBASE(?,?,00000028), ref: 008278AF
SysAllocString.OLEAUT32(?), ref: 008278BD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f2e5cfda159183883f0574ae27d9adf3f6cd82d9cf55496d6bfc65b814825d3a
Instruction ID: 6901ff76b9e1789b2c63dadbfe0ff5a2c9eec77c3a76f7154cfead02d2a552a3
Opcode Fuzzy Hash: f2e5cfda159183883f0574ae27d9adf3f6cd82d9cf55496d6bfc65b814825d3a
Instruction Fuzzy Hash: BD217435604228AFDB109FA9DC8CDAA77ECFB097607508135F915CB2A1D674DC81CB68

Function 008304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083052E

Strings

nul, xrefs: 00830567

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction ID: e163939e10db7e051b5effb09a5c1821cc7a90caa99a1c5c10fcc616432454fa
Opcode Fuzzy Hash: d2087d3a9427f597210d993f0db6f3b81ac8c2bbd96141c652ad79b475deb977
Instruction Fuzzy Hash: 3B214C75500309AFDF209F69DC54A9A7BB4FF84725F204A19F8A1E72E0E7709950CFA0

Function 008305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00830601

Strings

nul, xrefs: 00830639

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction ID: 39853d01765f1aafac110bde4f354ea7b000bfff32f68dc8217a59583dd548df
Opcode Fuzzy Hash: 18cc0819998b71c8a7b8909f290441e183b41c507ef1422241ed23ca4eccd62d
Instruction Fuzzy Hash: 332195755003059FDB209F69CC15A9A77E8FFE5B25F200A19F8A1E72D4E7709860CF90

Function 008540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00854112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00854139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00854145

Strings

Msctls_Progress32, xrefs: 008540E3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction ID: 1b8eb47718b7362f9d49c91e44d1afd5e88808585149b9dced74be19a6ccf51d
Opcode Fuzzy Hash: 0443d26079f5f24e42d7c802f38c4aed6b1e76811dba5c03a45f5cabecdc6a0f
Instruction Fuzzy Hash: BD1190B218021DBEEF119E64CC85EE77FADFF18798F105111BA18E2190C6769C619BA4

Function 007FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007FD7A3: _free.LIBCMT ref: 007FD7CC

_free.LIBCMT ref: 007FD82D

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD838
_free.LIBCMT ref: 007FD843
_free.LIBCMT ref: 007FD897
_free.LIBCMT ref: 007FD8A2
_free.LIBCMT ref: 007FD8AD
_free.LIBCMT ref: 007FD8B8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 8956c552c3231eaeca6cd31189136c557aecdf09ecc86ff17c0af1eb67743721
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 3811D07158170CEAD531FFB0CC4BFEB7BDD6F05700F404815B399AA6A2D669B9054A60

Function 0082DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0082DA74
LoadStringW.USER32(00000000), ref: 0082DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0082DA91
LoadStringW.USER32(00000000), ref: 0082DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0082DAB9

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction ID: 911b50cd9b55a526dcc1e754163492e4b9f128b59d2b195dce1b40862b0d9a8a
Opcode Fuzzy Hash: a943e74e9cd9758b72e2b4fd4559bd38a2cc5c2f25927f4a9e0040bdcb8c8a41
Instruction Fuzzy Hash: 3F0162F25003187FE710ABE49D89EEB376CF708306F404495B746E2041EA789E848F74

Function 0083096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0150D298,0150D298), ref: 0083097B
RtlEnterCriticalSection.NTDLL(0150D278), ref: 0083098D
TerminateThread.KERNEL32(01508DE0,000001F6), ref: 0083099B
WaitForSingleObject.KERNEL32(01508DE0,000003E8), ref: 008309A9
CloseHandle.KERNEL32(01508DE0), ref: 008309B8
InterlockedExchange.KERNEL32(0150D298,000001F6), ref: 008309C8
RtlLeaveCriticalSection.NTDLL(0150D278), ref: 008309CF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction ID: de54cd6122c0304fce091d4ca059bd18da45b45bc087406504ae3a5680c0b80f
Opcode Fuzzy Hash: 64072677c92868a2ad7608ed1a067b0fee388a7d3624dc176e23028ab899c9bf
Instruction Fuzzy Hash: 08F0C932442B12AFD7515BA4EE89BDABA69FF45703F802025F202948A1CB7994A5CF91

Function 007C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007C5D30
GetWindowRect.USER32(?,?), ref: 007C5D71
ScreenToClient.USER32(?,?), ref: 007C5D99
GetClientRect.USER32(?,?), ref: 007C5ED7
GetWindowRect.USER32(?,?), ref: 007C5EF8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
Instruction ID: 271895621ad5fa9abeff797ad1726d9ebbf2c521804b77f604c24ad82d709fa3
Opcode Fuzzy Hash: 6b0633d66ba4efcbdbd017e14ec76644f7145fe568418c2286e691b47ed0520d
Instruction Fuzzy Hash: 08B16C74A0074ADBDB14CFA9C880BEAB7F1FF54310F14951EE8A9D7290DB34AA91DB50

Function 007F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F00D6
__allrem.LIBCMT ref: 007F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F010B
__allrem.LIBCMT ref: 007F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F0140

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: ed8eba516debf7e20e25c71bd34530234b0fa90510db3706a9678172983557d1
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 19810772601B0ADBEB209F69CC45B7E73E9EF45724F24453AF611D6782EB78D9008790

Function 007F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007E82D9,007E82D9,?,?,?,007F644F,00000001,00000001,8BE85006), ref: 007F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,007F644F,00000001,00000001,8BE85006,?,?,?), ref: 007F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007F63D8
__freea.LIBCMT ref: 007F63E5

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444), ref: 007F3852

__freea.LIBCMT ref: 007F63EE
__freea.LIBCMT ref: 007F6413

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction ID: 6715f12537c7d57216114b8bdac2c7034369b8e75b393cbb4050d110aff48719
Opcode Fuzzy Hash: eaaf6021a9a93cb59f66526b31929e39d02f2097c901a8d9bbb63a21ad703f57
Instruction Fuzzy Hash: C051F072A0021AAFEB258F64CC85EBF77AAEF54750F154229FE05D7240EB38DC44D6A1

Function 0084BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BD25
RegCloseKey.ADVAPI32(00000000), ref: 0084BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0084BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0084BDF3
RegCloseKey.ADVAPI32(?), ref: 0084BDFF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: bbb35be255f816272a4ea364d01aa95fd58a989109c6726c88a52286d3b2e8b8
Instruction ID: f988809f679c0635ead9d6dbef5c888ea947a191ae3485fdf042b5734f62e7d5
Opcode Fuzzy Hash: bbb35be255f816272a4ea364d01aa95fd58a989109c6726c88a52286d3b2e8b8
Instruction Fuzzy Hash: BE817B30208245EFD714DF24C895E2ABBE5FF84308F14899CF5598B2A2DB36ED45CB92

Function 0081F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0081F7B9
SysAllocString.OLEAUT32(00000001), ref: 0081F860
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F889
VariantClear.OLEAUT32(0081FA64), ref: 0081F8AD
VariantCopy.OLEAUT32(0081FA64,00000000), ref: 0081F8B1
VariantClear.OLEAUT32(?), ref: 0081F8BB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 1550baed652b004e7b29f0300e073d6bb06694ce3bd6474cba29d2a9b2a93ddc
Instruction ID: 73e8122d6cefbca35046737789ff8a7271073ac84d1546510e992fca1a098e53
Opcode Fuzzy Hash: 1550baed652b004e7b29f0300e073d6bb06694ce3bd6474cba29d2a9b2a93ddc
Instruction Fuzzy Hash: 4251D731600314FACF10AB65D895BA9B7ACFF45714F14446BEA06DF293DB748C80CB96

Function 007D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

BeginPaint.USER32(?,?,?), ref: 007D9241
GetWindowRect.USER32(?,?), ref: 007D92A5
ScreenToClient.USER32(?,?), ref: 007D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D92D3
EndPaint.USER32(?,?,?,?,?), ref: 007D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008171EA

Part of subcall function 007D9339: BeginPath.GDI32(00000000), ref: 007D9357

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction ID: d61d1f1d733c9b3c4b5939b8cd8995f0406f0e548fea6f3f3908935a97a6d993
Opcode Fuzzy Hash: 1a00b00203fde40182a5236aafc9bae5ebbc3e0046e28ed1cfe3c0a8fff1b369
Instruction Fuzzy Hash: 77418C70108301AFDB11EF24CC88FAA7BB8FF55721F14062AFA95D72A1C735A845DB61

Function 008307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0083080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00830847
RtlEnterCriticalSection.NTDLL(?), ref: 00830863
RtlLeaveCriticalSection.NTDLL(?), ref: 008308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00830921

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8b4946fff475755f69e08b3b822cff2ae2590788140c9da5908cd9c0146b22f4
Instruction ID: d1e5b2c28ffabfba200ff7a1fac268246939e6d7570037f0eaf032b299d6da22
Opcode Fuzzy Hash: 8b4946fff475755f69e08b3b822cff2ae2590788140c9da5908cd9c0146b22f4
Instruction Fuzzy Hash: 0A415771900205EFDF14AF64DC85A6ABBB9FF44300F1440A9ED05EA296DB34DE64DFA0

Function 008581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0081F3AB,00000000,?,?,00000000,?,0081682C,00000004,00000000,00000000), ref: 0085824C
EnableWindow.USER32(00000000,00000000), ref: 00858272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008582D1
ShowWindow.USER32(00000000,00000004), ref: 008582E5
EnableWindow.USER32(00000000,00000001), ref: 0085830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0085832F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction ID: 2c6d77b5c18af4ec93a42cd992b7f24bb18de8c1c3a2baade0a7be2ee50a7b6c
Opcode Fuzzy Hash: 938831d43b666dd30ccaaff32535fc2e85cf5160df0e072278d960e8e884d25f
Instruction Fuzzy Hash: F5418234601645EFDF12DF25C899BE47FE1FB0A716F18416AE908DB262CB31A849CF50

Function 00824C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00824C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00824CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00824CEA
_wcslen.LIBCMT ref: 00824D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00824D10
_wcsstr.LIBVCRUNTIME ref: 00824D1A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 561e1cef34a4723ddd2dd8e69442007346458d2896bffff7f68e9e666e3f195f
Instruction ID: dd28442d4a90dabbddc1ca86ba346355c9f8b34949571d950fc34e65d50abc23
Opcode Fuzzy Hash: 561e1cef34a4723ddd2dd8e69442007346458d2896bffff7f68e9e666e3f195f
Instruction Fuzzy Hash: AA212931204214BBEB155B39FC09E7B7BECEF45750F10507EF805CA192EA65DD4086B0

Function 0083581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007C3A97,?,?,007C2E7F,?,?,?,00000000), ref: 007C3AC2

_wcslen.LIBCMT ref: 0083587B
CoInitialize.OLE32(00000000), ref: 00835995
CoCreateInstance.COMBASE(0085FCF8,00000000,00000001,0085FB68,?), ref: 008359AE
CoUninitialize.COMBASE ref: 008359CC

Strings

.lnk, xrefs: 00835876, 008358C1, 00835985

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: eabed50d84c19956c0ca80865d952a1d0f4d455f975cf44f2a512f3ac6c74677
Instruction ID: 01a7f1d309e52f12d0c1413fbf2e2a980b2261b0060e33a89e1d5fed89286de3
Opcode Fuzzy Hash: eabed50d84c19956c0ca80865d952a1d0f4d455f975cf44f2a512f3ac6c74677
Instruction Fuzzy Hash: 98D14E71608601DFC714EF24C488A2ABBE1FF89724F14885DF88A9B361DB35ED45CB92

Function 0082175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
Part of subcall function 00820FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
Part of subcall function 00820FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
Part of subcall function 00820FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00820FEC
Part of subcall function 00820FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

GetLengthSid.ADVAPI32(?,00000000,00821335), ref: 008217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008217BA
RtlAllocateHeap.NTDLL(00000000), ref: 008217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008217DA
GetProcessHeap.KERNEL32(00000000,00000000,00821335), ref: 008217EE
HeapFree.KERNEL32(00000000), ref: 008217F5

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction ID: d6467e739118b6ca63200cc2b02f3d3322db7a341f4ef359ff5ff37d47d40001
Opcode Fuzzy Hash: 4320e387720e33bc5b4c77b4b4483f94086a1f4618c6520ad38e43c2bd2ccd93
Instruction Fuzzy Hash: 4B11AC31500715EFDF109FA4EC49BAE7BA9FB95356F204018F441D7255C739A984CF60

Function 007E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007E3379,007E2FE5), ref: 007E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007E33B7
SetLastError.KERNEL32(00000000,?,007E3379,007E2FE5), ref: 007E3409

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0dbc8c8959d23f7d67ede6a684bf65653eb877ab69174d18d67701e51c6df1b7
Instruction ID: 0923b255494b954ba284a6af4be40a9ddf77b9f07f01be8fd864d7fb989e0aef
Opcode Fuzzy Hash: 0dbc8c8959d23f7d67ede6a684bf65653eb877ab69174d18d67701e51c6df1b7
Instruction Fuzzy Hash: 1501283220B791FFE726277B7C8D9662A94FB0D3B97300229F410872F1EF694D015664

Function 007F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,007F5686,00803CD6,?,00000000,?,007F5B6A,?,?,?,?,?,007EE6D1,?,00888A48), ref: 007F2D78
_free.LIBCMT ref: 007F2DAB
_free.LIBCMT ref: 007F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,007EE6D1,?,00888A48,00000010,007C4F4A,?,?,00000000,00803CD6), ref: 007F2DEC
_abort.LIBCMT ref: 007F2DF2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
Instruction ID: 96f3c6fbfbfef75f8e063bb7463c08bfe3b580a4776a3f79dc01745f4bab69a3
Opcode Fuzzy Hash: 3ca95612453d670ada79c4dd5f70e01596be1c2535632a972a228c516dc73c74
Instruction Fuzzy Hash: 81F0F435645B0CBBC2122738BC0EA7A2559BFC17A1B240118FB24D23A3EE2C88034561

Function 00858A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00858A4E
LineTo.GDI32(?,00000003,00000000), ref: 00858A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00858A70
LineTo.GDI32(?,00000000,00000003), ref: 00858A80
EndPath.GDI32(?), ref: 00858A90
StrokePath.GDI32(?), ref: 00858AA0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction ID: aef8c4a85c7e9390fee8d5e6de8eb9e53577ec1c876375995974dcea18daed1f
Opcode Fuzzy Hash: 2dcadd2afac4907f25f17f2155131f1d0b6e9805fbc3e54ddfedf4cdfe6ffcf4
Instruction Fuzzy Hash: 77110976000219FFDF129F90DC88EAA7F6DFB08391F048012FA199A1A1C7729D55DFA0

Function 008251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00825218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00825229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00825230
ReleaseDC.USER32(00000000,00000000), ref: 00825238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00825261

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction ID: ffb38f04313ebeffced521fd80cd5bf6cac6b91875ea4586286f1811b7b8eec4
Opcode Fuzzy Hash: 2a97616122b8baf5d1e1747bcb59c5199779ff1a0acce04ff68c77024f1ca849
Instruction Fuzzy Hash: 09014F75A40718BFEB109BA69C49E5EBFB8FF48752F044065FA04E7281DA749900CFA0

Function 007C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007C1C22

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction ID: 246239c133a2435621cac8e372caf596f171679365a37f04dd9651d48404ebb1
Opcode Fuzzy Hash: dbcbe7ff841e91a5b37935c495e649e591fd34ea1319ecc12088192f330202e7
Instruction Fuzzy Hash: 980144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 0082EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0082EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0082EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0082EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0082EB75

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction ID: 80becd73c53bfe9a63cd898acf7954af3b4648e0219fa92bbbc42e97fceb4c9c
Opcode Fuzzy Hash: 9baac0b712e47b49fd89a8e42dd11749470cb27b7fa543a695878befbaafd31e
Instruction Fuzzy Hash: 29F01D72140758BFE6215B529C0DEEB7EBCFBCAB12F000159F601D119196A45A418AB5

Function 00817439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00817452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00817469
GetWindowDC.USER32(?), ref: 00817475
GetPixel.GDI32(00000000,?,?), ref: 00817484
ReleaseDC.USER32(?,00000000), ref: 00817496
GetSysColor.USER32(00000005), ref: 008174B0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction ID: b62b6cf5711cee6371131b2645bdd25bc28d526d32efd9f29cf866c5553c1873
Opcode Fuzzy Hash: 6e24b8aaa6f16bb1da52d5f03d42de1a1c5120babb56ccd3e4effea8a17485b8
Instruction Fuzzy Hash: 4A012431404315EFEB515FA4DC48BEA7BBAFF04322F650168FA16A21A1CB391E91EF50

Function 0082C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C6EE
_wcslen.LIBCMT ref: 0082C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0082C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0082C7CA

Strings

0, xrefs: 0082C6AF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ca42fffc91e6d8461144d01af7c16e3ac7fe3e2bdd9d11ed446a8501df3a9ee0
Instruction ID: b839aa9af4c6bd609105afce6772574700fabd64a9b0d53a051eabd899cf5d6b
Opcode Fuzzy Hash: ca42fffc91e6d8461144d01af7c16e3ac7fe3e2bdd9d11ed446a8501df3a9ee0
Instruction Fuzzy Hash: 4251BD716043219FD714AF28E889B7E77E8FF49314F040A2DF996E32A0DB64D984CB52

Function 0084AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0084AEA3

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

GetProcessId.KERNEL32(00000000), ref: 0084AF38
CloseHandle.KERNEL32(00000000), ref: 0084AF67

Strings

<, xrefs: 0084AE6B
@, xrefs: 0084AE72

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1ba337604d6d876ed8c1b5c575dea221ed71900aa004002bda2ff793e2afe338
Instruction ID: 3d34a2c1e2d2c2cf2aae71a14285f540646f7546056359036c5d68317de7604a
Opcode Fuzzy Hash: 1ba337604d6d876ed8c1b5c575dea221ed71900aa004002bda2ff793e2afe338
Instruction Fuzzy Hash: 94712375A00619DFCB18DF54D488A9EBBB4FF08314F04849DE856AB3A2CB78ED45CB91

Function 0082719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00827206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008272CF

Strings

DllGetClassObject, xrefs: 00827242

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction ID: dafed3950d79ed56f134074dc00c429f134a201e7ccec8a677c2bf8d6f4c6948
Opcode Fuzzy Hash: a7da78526891eddc245bd08a671a5b34b71731706634acfdcb6c91c91d81f32c
Instruction Fuzzy Hash: 35418CB1A04214EFDB15CF55D884A9A7BA9FF44314F1480ADFD06DF20AD7B4D984CBA0

Function 00821DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00821E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00821E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00821EA9

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Strings

ComboBox, xrefs: 00821DF0
ListBox, xrefs: 00821E25

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 278a714b408deece1761152435b47c42b8db926abaebc13018d0514b720a214a
Instruction ID: 8aef3db14526e634adcd5a60c66c0cd8de73b256097eb29cde560c865018b5ab
Opcode Fuzzy Hash: 278a714b408deece1761152435b47c42b8db926abaebc13018d0514b720a214a
Instruction Fuzzy Hash: EA21E475A00204AEDB14AB64EC5DDFFB7B9FF65350B20412DF825E72E1DB384E498A20

Function 0084C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0084C9F1
_wcslen.LIBCMT ref: 0084CA68
_wcslen.LIBCMT ref: 0084CA9E
_wcslen.LIBCMT ref: 0084CAF9
_wcslen.LIBCMT ref: 0084CB2F
_wcslen.LIBCMT ref: 0084CB7F

Strings

HKLM, xrefs: 0084CA98, 0084CA9D
HKEY_LOCAL_MACHINE, xrefs: 0084CA62, 0084CA67

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: a0a1345da9613fc9895e1d664b5f38fb229c31dbe42bf9717f5968f2c80a174d
Instruction ID: 82c75f9aac9d37e3def69e193727724589c81d2cb2761a3e99a7522661f8c40c
Opcode Fuzzy Hash: a0a1345da9613fc9895e1d664b5f38fb229c31dbe42bf9717f5968f2c80a174d
Instruction Fuzzy Hash: DD3128B3A0217E8BCB60EF6D88445BE33AAFBA1750B154029E851EB345FA75CD44D3A0

Function 00852F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00852F8D
LoadLibraryW.KERNEL32(?), ref: 00852F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00852FA9
DestroyWindow.USER32(?), ref: 00852FB1

Strings

SysAnimate32, xrefs: 00852F68

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction ID: 700c6373995f7a604c8979fbfa59a1e4cacb082810117871b227d161095b8f7f
Opcode Fuzzy Hash: 2856b21e2b850bce291ea94f95510b88a47f0b8abdada190a61af1a352be1818
Instruction Fuzzy Hash: 67218872204209ABEB205F64AC84EBB37B9FB5A366F100228FD50E6190DF71DC959B60

Function 007E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002), ref: 007E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 007E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,007E4D1E,007F28E9,?,007E4CBE,007F28E9,008888B8,0000000C,007E4E15,007F28E9,00000002,00000000), ref: 007E4DC3

Strings

mscoree.dll, xrefs: 007E4D86
CorExitProcess, xrefs: 007E4D98

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction ID: 5eab3dc45105511779dacae85799ceeb41043b155020d08b0f980085e18e742c
Opcode Fuzzy Hash: 94f42eb307fa197bc71cf7ee6ab79edaf17b53c291ff795cfa76e45032451cbb
Instruction Fuzzy Hash: DFF03C34A41308BFDB119F95DC49BAEBBA5FB48752F0000A4A905A6260CB795940CF94

Function 0081D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0081D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0081D3BF
FreeLibrary.KERNEL32(00000000), ref: 0081D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0081D3B9
X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction ID: 9e03b24b36164ccf41b693dab37765c7b542682c2c99731ac73739f200054e59
Opcode Fuzzy Hash: 9aefed68fdd35fddbd1797ec64177a1b07e4ca42d7a95861b4a249b8996514bc
Instruction Fuzzy Hash: F4F020B0845B218FCB7527208C88BEA332CFF11706B548056F822E2204EB78CCC48A92

Function 007C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007C4EAE
FreeLibrary.KERNEL32(00000000,?,?,007C4EDD,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 007C4EA8
kernel32.dll, xrefs: 007C4E94

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction ID: 0180438e53a295bcdb23e3c864451ac7b716d31d007c89b866b38b44a819bd33
Opcode Fuzzy Hash: 3a6901525f8551db5cc390adf1132ba30655313dc4f3bfdf41d1b953679c8bd1
Instruction Fuzzy Hash: 82E08C36A42B226F92322B25AC28F6B7758BF81F63B06011DFC00E2200DB6CCD0189A1

Function 007C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007C4E74
FreeLibrary.KERNEL32(00000000,?,?,00803CDE,?,00891418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 007C4E6E
kernel32.dll, xrefs: 007C4E5B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction ID: 6a58f582c8fbbc271a76b764b192986f5cc580a8ab61cd195e27b5bda36fdff3
Opcode Fuzzy Hash: c5d2c762857d98098f18a95410e15c92e0279e9ed8e5b8a82b2b5beb340c2c58
Instruction Fuzzy Hash: 6DD01235542B615B56221B297C28E8B7B19FF85F62306051DBD05E2215CF6CCD01CAD0

Function 00832947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832C05
DeleteFileW.KERNEL32(?), ref: 00832C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00832C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00832CC0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 761c1750d8b876f7201be1377ae40b0c1d21728827d7977e229a86b05be9ced6
Instruction ID: 65a3f2db11f3e1cf95b1509a1e62df2288aa4bd2011effa981b589d52585c8cf
Opcode Fuzzy Hash: 761c1750d8b876f7201be1377ae40b0c1d21728827d7977e229a86b05be9ced6
Instruction Fuzzy Hash: 8CB13071901119EBDF21EBA4CC89EDEB77DFF48350F1040AAF509E6151EA35AA448FA1

Function 0084A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0084A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084A468
CloseHandle.KERNEL32(?), ref: 0084A63D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0e837bd46a13baf17327a6134d5edf577a030cc2be288ce1fc2b7866ce29e717
Instruction ID: a165496444ab38ac5aadd734e97772b8cb717549b1b0d72639ff175e330b9823
Opcode Fuzzy Hash: 0e837bd46a13baf17327a6134d5edf577a030cc2be288ce1fc2b7866ce29e717
Instruction Fuzzy Hash: A5A18C71644300AFD724DF24D886F2AB7E5EB88714F14885DF59ADB392DBB4EC418B82

Function 00841D10 Relevance: 7.8, APIs: 5, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00843149: select.WS2_32(00000000,?,00000000,00000000,?), ref: 00843195

__WSAFDIsSet.WS2_32(00000000,?), ref: 00841DC0
WSAGetLastError.WS2_32 ref: 00841DF2
inet_ntoa.WS2_32(?), ref: 00841E8C
htons.WS2_32(?), ref: 00841EDB
_strlen.LIBCMT ref: 00841F35

Part of subcall function 008239E8: _strlen.LIBCMT ref: 008239F2

Part of subcall function 007C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,007DCF58,?,?,?), ref: 007C6DBA
Part of subcall function 007C6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,007DCF58,?,?,?), ref: 007C6DED

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: f3a07c48d899018fbfd9b2a74edb68768e7465562e5f40b5119af9c490b32cec
Instruction ID: 05be8247832c449699425b212ea4eff81147d95365b0ba02cb15211a66ed909d
Opcode Fuzzy Hash: f3a07c48d899018fbfd9b2a74edb68768e7465562e5f40b5119af9c490b32cec
Instruction Fuzzy Hash: 6EA1CF31204344AFC724DB24C889F2ABBA5FF84318F54895CF4569B2A2CB35ED86CB91

Function 0082E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0082CF22,?), ref: 0082DDFD

Part of subcall function 0082DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0082CF22,?), ref: 0082DE16

Part of subcall function 0082E199: GetFileAttributesW.KERNEL32(?,0082CF95), ref: 0082E19A

lstrcmpiW.KERNEL32(?,?), ref: 0082E473
MoveFileW.KERNEL32(?,?), ref: 0082E4AC
_wcslen.LIBCMT ref: 0082E5EB
_wcslen.LIBCMT ref: 0082E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0082E650

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 67278bade5b4546ee29210f9ef25843a5c2e5eacf8c742fec1e616a9ff5cf61c
Instruction ID: 4f4fbf2e2602a0c7717cef155ad2ba019bfd4525c5b30858794b72332d4d42f6
Opcode Fuzzy Hash: 67278bade5b4546ee29210f9ef25843a5c2e5eacf8c742fec1e616a9ff5cf61c
Instruction Fuzzy Hash: 185163B24087959BC724EB94DC859DFB3DCEF84340F40492EF689D3151EF74A588876A

Function 0084B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 0084C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084B6AE,?,?), ref: 0084C9B5
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084C9F1
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA68
Part of subcall function 0084C998: _wcslen.LIBCMT ref: 0084CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0084BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0084BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0084BB63
RegCloseKey.ADVAPI32(?,?), ref: 0084BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0084BBB3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 089d272ba092471170a56a2d79c218082ce658e70eccb39eb0ec4d2be7c2d828
Instruction ID: 6698f8772486a672c83b1ebd6f79e21d69370b4746a05896393e3d2245df9f7b
Opcode Fuzzy Hash: 089d272ba092471170a56a2d79c218082ce658e70eccb39eb0ec4d2be7c2d828
Instruction Fuzzy Hash: E061AE31208245EFD714DF24C895E2ABBE5FF84318F14895CF4998B2A2DB35ED45CB92

Function 00828BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00828BCD
VariantClear.OLEAUT32 ref: 00828C3E
VariantClear.OLEAUT32 ref: 00828C9D
VariantClear.OLEAUT32(?), ref: 00828D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00828D3B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction ID: 1aa78ab92a93ed75bb40975a9d72e5bff6dbe6e35c0b4762806b6d2fc4c9bedd
Opcode Fuzzy Hash: c22fff47b16a4003b207e863d9d578ed6f009878c319bdf0ffbf20b2f16a5957
Instruction Fuzzy Hash: E65188B5A01219EFDB10CF68D884EAAB7F8FF89314B118559E909DB350E734E951CFA0

Function 00838AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00838BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00838BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00838C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00838C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00838C5F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ae940e1771e72be8abd207c775400bdb57dd1b1b66cc84d7f6c52c357310c9de
Instruction ID: 568ba8311af31cc400d7af912b04a6b00a9afbed80b3b0e41bdf1ecb21702514
Opcode Fuzzy Hash: ae940e1771e72be8abd207c775400bdb57dd1b1b66cc84d7f6c52c357310c9de
Instruction Fuzzy Hash: E7510535A00215DFCB05DF64C885E69BBF5FF48314F088459E849AB362DB39ED51DB90

Function 00848EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00848F40
GetProcAddress.KERNEL32(00000000,?), ref: 00848FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00848FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00849032
FreeLibrary.KERNEL32(00000000), ref: 00849052

Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00831043,?,753CE610), ref: 007DF6E6
Part of subcall function 007DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0081FA64,00000000,00000000,?,?,00831043,?,753CE610,?,0081FA64), ref: 007DF70D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 667f09b2d58a00e97d3533dcd6a9c5015347f9ebb29c17b93d4b13e4895d532f
Instruction ID: 5becd9a1cbb0874eaddc89060dc2ca36eb3b778e715a3416e103641f3666c16f
Opcode Fuzzy Hash: 667f09b2d58a00e97d3533dcd6a9c5015347f9ebb29c17b93d4b13e4895d532f
Instruction Fuzzy Hash: CE511735600609DFC715DF68C498DADBBF1FF49314B0580A9E84A9B362DB35ED85CB90

Function 00856B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00856C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00856C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00856C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0083AB79,00000000,00000000), ref: 00856C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00856CC7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction ID: 2e83d2902cb20d625800660c7c5de9edcdd7cac45d5de2425569602ea22b26aa
Opcode Fuzzy Hash: 4b1fb35c5d4a7a0664b4f44005029fd13b97b7dc0af1cccb396fcf2bb0d0b559
Instruction Fuzzy Hash: 5041D635A04204AFDB24DF28CC59FA97FA5FB09365F940228FC95E72E0E371AD65CA40

Function 007F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007F20C3
_free.LIBCMT ref: 007F20E3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction ID: d8ae56b6296fb84adb53279e384412e128ebe68d5254ccae692a6ad53e03112e
Opcode Fuzzy Hash: 3a4c1a8cd245ecc0b26260792068cada884d0b955ccc05ec1e1a8ddcc093ca5e
Instruction Fuzzy Hash: 0041F232A00208DFCB20DF78C884A6DB7F5EF89314F1545A9E615EB392DB35AD02CB90

Function 007D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D9141
ScreenToClient.USER32(00000000,?), ref: 007D915E
GetAsyncKeyState.USER32(00000001), ref: 007D9183
GetAsyncKeyState.USER32(00000002), ref: 007D919D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction ID: 5adba376d4f3edb220890b28aa70aa4e889677c6fd7aa92f28901422ea0a5364
Opcode Fuzzy Hash: 6a19b51430905938e80140157afd70bb052bc24f7a598f388f5eb5b0e482e03a
Instruction Fuzzy Hash: 5641607190860AFBDF199F68C848BEEB775FF05324F20421AE525A3290D7356D94CF51

Function 00833874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00833922
TranslateMessage.USER32(?), ref: 0083394B
DispatchMessageW.USER32(?), ref: 00833955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00833966

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction ID: 433fae251bf93c34df21886206db8da64c00b6a4d7ce90a077012e00e9ee309d
Opcode Fuzzy Hash: d6d43aeb55e94851ab491fdb28966b434f67d4d61d1640c98c1e2dd87479848a
Instruction Fuzzy Hash: 34310670508346DFEF25DB34D809BB67FA8FB86304F08046AE862D25A0E3F49685DB91

Function 0083CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0083CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0083C21E,00000000), ref: 0083CFF2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 897b48195219c45bcc1d43f95b741cbb7308c221858be4d36c4087110e2f3f2b
Instruction ID: 43d6b3dbdce73e584282f2b181642544464580551f0bdf31bcf71047d4ee2ee7
Opcode Fuzzy Hash: 897b48195219c45bcc1d43f95b741cbb7308c221858be4d36c4087110e2f3f2b
Instruction Fuzzy Hash: 99313A71600709EFDB20DFA5C8849AABBF9FB54355F10442EE506E2241DB74AE419BA0

Function 00821901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00821915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008219E2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction ID: 6003c4fcab7b3875b63584d6e356ab33dbd48247e44e398b5cba1a154ce39ea9
Opcode Fuzzy Hash: 482e5714fe81da1d791e86ea98de9b351047bee348a4c8c5de465cae182133a4
Instruction Fuzzy Hash: 60319C71A00229EFCB00CFA8D99DA9E7BB5FB14315F204229F921E72D1C7709A84CB90

Function 00855706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00855745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0085579D
_wcslen.LIBCMT ref: 008557AF
_wcslen.LIBCMT ref: 008557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction ID: 04758a8592c7ddba432d8f8bbfe16a9a1aa9ce52a40b5bb47db7bfdc97198de4
Opcode Fuzzy Hash: e81af5807344a4929e8ea26ed912c052deca3d92690b5f52520e54c7581a74c2
Instruction Fuzzy Hash: C721B671904618DBDB209FA0DC84AEE7BB9FF04326F108256FD29EB180D7749A89CF50

Function 007D990F Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1
GetWindowLongW.USER32(?,000000EB), ref: 007D9952

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction ID: 6c3bd15fac99ba27b16da6a12ad5fe53bac310ac133d954ecc7888ff119c3c24
Opcode Fuzzy Hash: 113f3c7c4175d095e63c7cca875cc2500082514d7c674bdcb800118874a6354b
Instruction Fuzzy Hash: 5E21F6714453909FCB114F24ECA8BE53FB4AF67722F18418EE6D28B2A2D7396991DF10

Function 00840930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00840951
GetForegroundWindow.USER32 ref: 00840968
GetDC.USER32(00000000), ref: 008409A4
GetPixel.GDI32(00000000,?,00000003), ref: 008409B0
ReleaseDC.USER32(00000000,00000003), ref: 008409E8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3af64c8934a9a0967a0de8ff7cf831d375bb6862f6b0abd5801a22ab6d9c61ab
Instruction ID: 5feab19f172e2a157ba23acba481e9e0704f8b8346f1e2369203c86be98f9148
Opcode Fuzzy Hash: 3af64c8934a9a0967a0de8ff7cf831d375bb6862f6b0abd5801a22ab6d9c61ab
Instruction Fuzzy Hash: 76215E35A00214AFD704EF69D889AAEBBE5FF48701F04846CE84AD7752CA34AD04CF90

Function 007FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 007FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007FCDE9

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444), ref: 007F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 007FCE0F
_free.LIBCMT ref: 007FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 007FCE31

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction ID: 2dd39d26fa96b5d0ea6bf42ef8afcbdc20bf4927922c2ac97548dae54f06f957
Opcode Fuzzy Hash: c5c4377698c40a5cca6f1c963d0089b9db2140fe9c5a75aecf606609ea95a577
Instruction Fuzzy Hash: F4018472A0171D7F23221AB66D8CDBB796DEEC6BA1315012DFA05D7301EA6D8D0195F0

Function 007D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
SelectObject.GDI32(?,00000000), ref: 007D96A2
BeginPath.GDI32(?), ref: 007D96B9
SelectObject.GDI32(?,00000000), ref: 007D96E2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction ID: d86df606e073bfdd567d7daa37d796d1dac06124dbc2e54dabb1268f7c2af874
Opcode Fuzzy Hash: df9e92dcdc1af6fe69215619716cace11b226a9f0a52555dc12bddd3e36186ab
Instruction Fuzzy Hash: 5A215E30806306EFDF11AF65EC187A97FB8BB50366F984217F511A62B0D3799892CF94

Function 00825711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00825726
_memcmp.LIBVCRUNTIME ref: 00825744
_memcmp.LIBVCRUNTIME ref: 00825757
_memcmp.LIBVCRUNTIME ref: 0082576F
_memcmp.LIBVCRUNTIME ref: 00825787

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction ID: dfeb58b4bcc09ce28ae484b29b1b0c6ae9f5d4f5a7f6124f5bd00c8ff50e0b82
Opcode Fuzzy Hash: a41b76d6546ab49039c907c2c37a7802e0959804ba92bc35303e2228d9729d8e
Instruction Fuzzy Hash: 3E01F5716C2669FFD2089115AE86FBB734DFB243A9F404030FE04DA242F734ED5482A1

Function 007F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007EF2DE,007F3863,00891444,?,007DFDF5,?,?,007CA976,00000010,00891440,007C13FC,?,007C13C6), ref: 007F2DFD
_free.LIBCMT ref: 007F2E32
_free.LIBCMT ref: 007F2E59
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E66
SetLastError.KERNEL32(00000000,007C1129), ref: 007F2E6F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
Instruction ID: 3398ad435ec4d23e38243023221c4ee450bd55c791aa2c230f0f85f8d018e4ed
Opcode Fuzzy Hash: 11b1492a215e0967ae2e3ce84aaf897ee3df38b9572e1d53f0f7b541412e9d8e
Instruction Fuzzy Hash: 2301F43624570CEBC61267746C8DD7B2A59BBC17B5B340129FB21E23A3EA7C8C034520

Function 0082000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 0082002B
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00820046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0081FF41,80070057,?,?), ref: 00820054
CoTaskMemFree.COMBASE(00000000), ref: 00820064
CLSIDFromString.COMBASE(?,?), ref: 00820070

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction ID: 232f63ac15f5abd6575653fa9d3b1e5e76d3cad68122e55b567d3de37124282c
Opcode Fuzzy Hash: 9b53beaf9ce4bc521a4243136f7655acf0a61b81b3992b8889a742f7350980e8
Instruction Fuzzy Hash: 2601A276A00724BFEB104F68EC44BAA7AEDFF44752F144124F905D2222E775DD808FA0

Function 0082E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0082E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0082E9A5
Sleep.KERNEL32(00000000), ref: 0082E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0082E9B7
Sleep.KERNEL32 ref: 0082E9F3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction ID: fdc7a1f8d45e2e8203036776ad561e489e67a4b65a1f2d2fafd032fd18b0f6b9
Opcode Fuzzy Hash: c10bf463f27f2a538d25b6879a1a78c8412d26c20016ed73b5c6feba069e9622
Instruction Fuzzy Hash: ED010531C01A3DDBCF40ABE5E859AEDBB78FB09701F000556E502F2291CB3495948BA6

Function 008210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00821114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 00821120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00820B9B,?,?,?), ref: 0082112F
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00821136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082114D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction ID: 3569eec15e3533e4d67b25a3f4af53c2c52a85fb0f3c77e6595099df428b8953
Opcode Fuzzy Hash: 44a7f7026a636921c767a8ec5fdff2bf55f566764a6c5ae5db0e77e55be6fce3
Instruction Fuzzy Hash: 97014675200315BFDB114BA8EC4DA6A3FAEFF892A1B200418FA41D2360EA35DC50CE60

Function 00820FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00820FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00820FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00820FE5
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00820FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00821002

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction ID: e94f0386d9b3379d889e94b37a777506565b4c839b2d7478b123d39492115a00
Opcode Fuzzy Hash: 90389e75299a2ab56ca4404f1d2f52bd7c73eefa4457d6b6bd2dadd6ffefe834
Instruction Fuzzy Hash: DDF04935240B15AFDB214FA5AC4DF5A3BADFF89B62F604414FA46C6291CA74DC808E60

Function 00821014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0082104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction ID: cc6a4774cab0dd0a848ff6bb902f8d3644910f751a61712b16a37118e4d3ec68
Opcode Fuzzy Hash: ab714eef816441c8fd6ea2b6e60cbbfa141733c05142948490fb4be0a32990ff
Instruction Fuzzy Hash: 55F04935240B55AFDB219FA5EC4DF5A3BADFF89762F200414FA46C6290CA74D8808E60

Function 0083030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830324
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830331
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083033E
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 0083034B
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830358
CloseHandle.KERNEL32(?,?,?,?,0083017D,?,008332FC,?,00000001,00802592,?), ref: 00830365

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction ID: 0032c67647c106c7a78eaedce86665800cc18e94ae45d8238dcdfcf610c3fd0a
Opcode Fuzzy Hash: f9ed309813edaf03c1a124d14681fb5d975231f5aff9e740aec149f0d7083591
Instruction Fuzzy Hash: C801A272800B159FCB309F66D890412F7F9FF903157158A3FD19692A31C371A954CF80

Function 007FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007FD752

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007FD764
_free.LIBCMT ref: 007FD776
_free.LIBCMT ref: 007FD788
_free.LIBCMT ref: 007FD79A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction ID: 4b466713ea8e07440c39715a166b7fdad3b1d5eb9371f90eed8016521ef8a74b
Opcode Fuzzy Hash: 629525ab6f0a0bc8770618741b5fc5bef7dd84ecbbaabc0474d4b72d0c84ef16
Instruction Fuzzy Hash: AEF0FF3259420DAB8621FB68F9C5C3A7BDEBB447107A40805F258EB626C778FC808B74

Function 00825C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00825C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00825C6F
MessageBeep.USER32(00000000), ref: 00825C87
KillTimer.USER32(?,0000040A), ref: 00825CA3
EndDialog.USER32(?,00000001), ref: 00825CBD

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction ID: be93153f7922a6dd4a2b4dfb98b64f5fb8adb85983f935eb60e50cb974736ca3
Opcode Fuzzy Hash: 117d3687f61f19dcfdfe37ffa49d38e08f743ea562641f5290d9f033d277b3f6
Instruction Fuzzy Hash: D3018170540B14AFEB215B50ED5EFA677F8FB14B46F00055DA583A14E1EBF8AA888E90

Function 007F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007F22BE

Part of subcall function 007F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000), ref: 007F29DE
Part of subcall function 007F29C8: GetLastError.KERNEL32(00000000,?,007FD7D1,00000000,00000000,00000000,00000000,?,007FD7F8,00000000,00000007,00000000,?,007FDBF5,00000000,00000000), ref: 007F29F0

_free.LIBCMT ref: 007F22D0
_free.LIBCMT ref: 007F22E3
_free.LIBCMT ref: 007F22F4
_free.LIBCMT ref: 007F2305

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction ID: b09b7e83b4da207c761f31d64458a099ffb1cf29526ffe48f95ba08b8d7f3a2b
Opcode Fuzzy Hash: a053191d2170143411ca281ee17f3c04803022c0f7929e7c9d1c13586ae210da
Instruction Fuzzy Hash: 3FF05E71884126CF8A12FF98BC098283B64FB18760709051BF514E73BACB781912AFE4

Function 007D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007D95D4
StrokeAndFillPath.GDI32(?,?,008171F7,00000000,?,?,?), ref: 007D95F0
SelectObject.GDI32(?,00000000), ref: 007D9603
DeleteObject.GDI32 ref: 007D9616
StrokePath.GDI32(?), ref: 007D9631

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction ID: 27402454472b09c5f3559e180611679818d6faa00f35da472488d6414ebf786c
Opcode Fuzzy Hash: 0cda37a1c8c9d015bd3f06d78e705aea3f876c1ac1016f7e6cdf57e3a815b092
Instruction Fuzzy Hash: 4FF01930009705EFDB126F65ED1C7A43F71BB00362F488216F525551F0D73989A1DF20

Function 00821874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082187F
CloseHandle.KERNEL32(?), ref: 00821894
CloseHandle.KERNEL32(?), ref: 0082189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008218A5
HeapFree.KERNEL32(00000000), ref: 008218AC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction ID: ed697d00b4ccd78f69ababa5262be49e41ad9417f1c5cd0380e70bdb782557e0
Opcode Fuzzy Hash: 6f8fdc14ca60018c1ee99ba8199211915442a9eabac216039539bddc0b275cd2
Instruction Fuzzy Hash: C9E0C236044705BFDA015BA5ED0C94ABB69FB49B22B908220F22681570CB36A4A0DF50

Function 007F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007F10F9
__freea.LIBCMT ref: 007F1117

Part of subcall function 007F1537: _free.LIBCMT ref: 007F154F

Strings

a/p, xrefs: 007F11DE
am/pm, xrefs: 007F117A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction ID: 22b0d142463c0148510520220dc809f79f6fb38a8bdacde15bd3e6d93c48ddd7
Opcode Fuzzy Hash: 1d7ae476ff71016067041c16f9a02aa4ffafda2fc4de4797d6ed169b27533bc6
Instruction Fuzzy Hash: 31D1F231A1020ECADB289F68C855BFAB7B1FF06310FA84159EB11AB751D77D9D80CB91

Function 0083910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

_wcslen.LIBCMT ref: 00839506
_wcslen.LIBCMT ref: 0083952D
7523D1A0.COMDLG32(00000058), ref: 00839585

Strings

X, xrefs: 00839412

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$7523
String ID: X
API String ID: 1414850397-3081909835
Opcode ID: 99c04813d985071be962bd58b6d0960557be17bbc1eb2daf3b4fe3c02c12c255
Instruction ID: 35e41e0421134ae870bef4a11cf93c82e201c3e807e16c8c31cef6d249249b5a
Opcode Fuzzy Hash: 99c04813d985071be962bd58b6d0960557be17bbc1eb2daf3b4fe3c02c12c255
Instruction Fuzzy Hash: 14E16B71608340DFC724EF24C885A6AB7E0FF84314F04896DE9999B3A2DB75ED45CB92

Function 00847B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 007E0242: RtlEnterCriticalSection.NTDLL(0089070C), ref: 007E024D
Part of subcall function 007E0242: RtlLeaveCriticalSection.NTDLL(0089070C), ref: 007E028A

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 007E00A3: __onexit.LIBCMT ref: 007E00A9

__Init_thread_footer.LIBCMT ref: 00847BFB

Part of subcall function 007E01F8: RtlEnterCriticalSection.NTDLL(0089070C), ref: 007E0202
Part of subcall function 007E01F8: RtlLeaveCriticalSection.NTDLL(0089070C), ref: 007E0235

Strings

G, xrefs: 00847C7F
Variable must be of type 'Object'., xrefs: 00847C3A
5, xrefs: 00847C78

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: b43375b9cfa059ae41a5b08bf8a18fe02f770ddb516119162dec4de99963dd39
Instruction ID: ef7cd21b62c6156295a73a82e1d2203ad2e6033f106e0a7586cc0ac66c968948
Opcode Fuzzy Hash: b43375b9cfa059ae41a5b08bf8a18fe02f770ddb516119162dec4de99963dd39
Instruction Fuzzy Hash: AE915674A0420DEFCB14EF98D895EADB7B2FF48304F148059F806AB292DB75AE45CB51

Function 007F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO|, xrefs: 007F5BA8, 007F5C6C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: JO|
API String ID: 0-2887696345
Opcode ID: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction ID: a67a72bab9d489e23be8fca55af7aeadfa73f7c8e4f6e39d7b836146dfa1bf57
Opcode Fuzzy Hash: da214a9845865a79e57d21e2c12ceae0c728f570d0631f369fd87d4b4c08297e
Instruction Fuzzy Hash: 7A518EB1901A0EEFCB11AFA5C849ABE7BB8BF49310F14015AF705A7391D7799A01CB61

Function 007F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 007F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 007F8B7A
__dosmaperr.LIBCMT ref: 007F8B81

Strings

.~, xrefs: 007F8A63

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .~
API String ID: 2434981716-505086709
Opcode ID: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction ID: 53e013105071bac08744e369e43c686731152807fdb14b0ebaf3739e80d320f7
Opcode Fuzzy Hash: 06c9cedee000b3643ffa922ffe08edd86ed2f58d1ddb415cddddf5bc1c4b05b8
Instruction Fuzzy Hash: 65419FF160414DAFCB659F24DC85A7D7FA5EB85300F2C819AFA548B742DE39CD028751

Function 00822716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0082B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221D0,?,?,00000034,00000800,?,00000034), ref: 0082B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00822760

Part of subcall function 0082B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0082B3F8

Part of subcall function 0082B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0082B355
Part of subcall function 0082B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B365
Part of subcall function 0082B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00822194,00000034,?,?,00001004,00000000,00000000), ref: 0082B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0082281A

Strings

@, xrefs: 00822832

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction ID: 52a7d83939bb32342cd8a9e66307ccdbe18699a006442b9dfa788c57945e0e7c
Opcode Fuzzy Hash: 537734bcbd890846e3fb703cbd10248cc1bd5cb9bb2d841982b1a5c78724e1f1
Instruction Fuzzy Hash: 1B411D72901228BFDB10DBA8DD85ADEBBB8FF09700F104099FA55B7181DB706E85CB61

Function 007F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\tN8GsMV1le.exe,00000104), ref: 007F1769
_free.LIBCMT ref: 007F1834
_free.LIBCMT ref: 007F183E

Strings

C:\Users\user\Desktop\tN8GsMV1le.exe, xrefs: 007F1760, 007F1767, 007F1796, 007F17CE

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\tN8GsMV1le.exe
API String ID: 2506810119-296164394
Opcode ID: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction ID: 5b4b43f379e86c97f901c489aafd69bf65d0d70809f80cc8920109a4eadae799
Opcode Fuzzy Hash: e37fe49537fac19dcb975639e2008a42ca2ed98eed218bed614219c97bd8f844
Instruction Fuzzy Hash: 92319D71A0420CEFCB21EB999989DAEBBFCEB85360F544166EA0497311D6748A40CBA0

Function 0082C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0082C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0082C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00891990,01513990), ref: 0082C395

Strings

0, xrefs: 0082C2DF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction ID: 128aece3e6d6ece3a6cf61edda215c54705176c0038d0b54b4e41d7889d0eb3d
Opcode Fuzzy Hash: 3c046e6a37e4dd0f631699c06c813209673b0c1ce5af2ccdf63861f92b755cde
Instruction Fuzzy Hash: F0418B31204351AFD720DF29E888B6EBBA8FF85324F008A1DE9A5D7391D734A944CB52

Function 00854416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085CC08,00000000,?,?,?,?), ref: 008544AA
GetWindowLongW.USER32 ref: 008544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008544D7

Strings

SysTreeView32, xrefs: 0085447C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction ID: 355c2fb02c6827ded6fd2ec976502b933cd69d373269591bfa9f7dae780935e3
Opcode Fuzzy Hash: 7b68cad5e425434258f72db2135e4b73d5e7b86a56e03699d86456a2615fbd19
Instruction Fuzzy Hash: 63318B31240205AFDF209E38DC45BEA7BA9FB08329F205319F979E22D0D774EC949B50

Function 0084304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00843077,?,?), ref: 00843378

inet_addr.WS2_32(?), ref: 0084307A
_wcslen.LIBCMT ref: 0084309B
htons.WS2_32(00000000), ref: 00843106

Strings

255.255.255.255, xrefs: 00843095, 0084309A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 715877caf87a71aaa952da913aecb81102c06a572b446a5a0e957f66a3cb6e93
Instruction ID: d9dbc7e93298c3ee8366971cbf3525f9d85876962c6f796028eeb9b8cf52437a
Opcode Fuzzy Hash: 715877caf87a71aaa952da913aecb81102c06a572b446a5a0e957f66a3cb6e93
Instruction Fuzzy Hash: CE31E435200209DFDB10CF68C485EAA77E0FF14318F248199E915DB392DB76EE45CB60

Function 00854653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00854705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00854713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0085471A

Strings

msctls_updown32, xrefs: 00854684

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction ID: aae452a5ebf7ed9e473ab555d490c1b27bd4e8ecd5b36888bfe76eea4101807d
Opcode Fuzzy Hash: c8196ba334c455552098e150af1f54643bbb000433f063c12b92c3c1a8c64714
Instruction Fuzzy Hash: 97218CB5604209AFEB11DF68DCC5DA737EDFB5A3A9B041049FA01DB291CB30EC55CA60

Function 008295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0082961D

Strings

#OnAutoItStartRegister, xrefs: 008295F3
#requireadmin, xrefs: 008295D9
#notrayicon, xrefs: 008295B7

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction ID: 31c2173baf76b92fe582a649a8e87ad42954119a2430a85f95d74732c5b524b4
Opcode Fuzzy Hash: 82607a9482cb9557e82240882f2a68ee690c8cf3c9761b97f68a78a8e298981f
Instruction Fuzzy Hash: 0F213832204530A6D331AA25AD06FB773D8FF65314F10402AF9DAD7182EB59AD85C2A6

Function 008537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00853840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00853850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00853876

Strings

Listbox, xrefs: 0085380F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction ID: f4d366058e3a799d404ed15193cc4b30c15f20a512c77937d136f299ba489a18
Opcode Fuzzy Hash: b55cf22dea26d95d0ec8678349f5891e6237ec98eda1694b4690ccea49e323a9
Instruction Fuzzy Hash: 2921CF72600218BBEF219FA4CC85FBB376EFF89791F108124F910AB190C675DC568BA0

Function 008349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00834A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00834A5C
SetErrorMode.KERNEL32(00000000,?,?,0085CC08), ref: 00834AD0

Strings

%lu, xrefs: 00834A6F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4552c212d5536f7d783289ab1ccb54bc4f5ac5666de207f134e842e3ea34a98b
Instruction ID: 12c3b554e7d51a88f234f2c714a43583ea733e0c2bdbebdce204673cb5744fb0
Opcode Fuzzy Hash: 4552c212d5536f7d783289ab1ccb54bc4f5ac5666de207f134e842e3ea34a98b
Instruction Fuzzy Hash: 75312F75A00219AFDB10DF64C885EAA7BF8FF44308F144099F905DB252DB75ED45CBA1

Function 008541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0085424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00854264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00854271

Strings

msctls_trackbar32, xrefs: 00854226

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction ID: db852f0bed99de2bb0af5f6253555947620930a5ebab7396c8542192b94dbeab
Opcode Fuzzy Hash: e4a16bb6fe39a6c711659c991ee998de3da4701e9820099438fd145db8a76c04
Instruction Fuzzy Hash: 0011E331240208BEEF205E29CC46FAB3BACFF95B59F110128FA55E2090D271D8519B20

Function 00822F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C6B57: _wcslen.LIBCMT ref: 007C6B6A

Part of subcall function 00822DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
Part of subcall function 00822DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
Part of subcall function 00822DA7: GetCurrentThreadId.KERNEL32 ref: 00822DDD
Part of subcall function 00822DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

GetFocus.USER32 ref: 00822F78

Part of subcall function 00822DEE: GetParent.USER32(00000000), ref: 00822DF9

GetClassNameW.USER32(?,?,00000100), ref: 00822FC3
EnumChildWindows.USER32(?,0082303B), ref: 00822FEB

Strings

%s%d, xrefs: 00822FFF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction ID: 28e1b67a8f1a6981317948b519559db1e2a9e772bf88d565a7704fa514e255f7
Opcode Fuzzy Hash: d6b353ed4bbe74df5d29c7011d60f4c7b01ac30b13f6066384692d3eb19a621e
Instruction Fuzzy Hash: 0A11C3B1200219ABCF00BF749C95EED37AAFF94304F044079B909DB252DE385E898B70

Function 00855882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008558EE
DrawMenuBar.USER32(?), ref: 008558FD

Strings

0, xrefs: 0085588F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: a70b4c57075a96941aa0c50b4b49a4285ae23c3ed8c37c7d1205988a91a3ecce
Instruction ID: b52ef3680a142ca8e605d10eb1fc9acf687747e4c1f485f275cf3ae79e1bd4ef
Opcode Fuzzy Hash: a70b4c57075a96941aa0c50b4b49a4285ae23c3ed8c37c7d1205988a91a3ecce
Instruction Fuzzy Hash: B9018431500218EFDB119F51EC44BAEBFB5FF45362F108099E849D6261DB348A84DF71

Function 0082007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction ID: 7d64030a5e0f8e819c4666b7c5538d55c01e897be25b79c729ded36bdeedeccd
Opcode Fuzzy Hash: 4c1ba45a9a6bcafaabb07d66c7de0194aae1644734704b8a8a26d689d5317f57
Instruction Fuzzy Hash: 7BC14C75A0021AEFDB14CF94D898AAEB7B5FF48704F108599E905EB252D731ED81CF90

Function 0084342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00843459
CoUninitialize.COMBASE ref: 00843463
VariantInit.OLEAUT32(?), ref: 0084346E
VariantClear.OLEAUT32(?), ref: 0084371B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 806040d8b64e84088ac06326b0e4392242fbec41444812291ed22d393b76e6f8
Instruction ID: 4f440d179eb729dfa824147b5150c142c5a8045f8e4f3a0985fd8b0a94028689
Opcode Fuzzy Hash: 806040d8b64e84088ac06326b0e4392242fbec41444812291ed22d393b76e6f8
Instruction Fuzzy Hash: 08A103756042059FCB14DF28C489A2AB7E5FF88714F05885DF98A9B362DB34EE01DB92

Function 00820436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 008205F0
CoTaskMemFree.COMBASE(00000000), ref: 00820608
CLSIDFromProgID.COMBASE(?,?), ref: 0082062D
_memcmp.LIBVCRUNTIME ref: 0082064E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a21c0440c85a7b0988360b0d3ddd6d69a9f0e16abf0c51d44d02d62ca49e50bf
Instruction ID: 53fe8ba2a88d9ca97c8c23a092149137d7bf719d110a2073ea032cb953b959e3
Opcode Fuzzy Hash: a21c0440c85a7b0988360b0d3ddd6d69a9f0e16abf0c51d44d02d62ca49e50bf
Instruction Fuzzy Hash: 07810771A00219EFCB04DF94C988EEEB7B9FF89315B204558E506EB251DB71AE46CF60

Function 00801391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008014C0

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
Instruction ID: e570cc2bcf11f84f34dfc4d93e27ae780fd6d88acad25d6668cca0c23b74ed56
Opcode Fuzzy Hash: b5c7c581c81944569cd5854931deb426504f951b8cc5dabd844ca1dacf481562
Instruction Fuzzy Hash: 94415D32600948EBDF616FBD8C8D6BE3AAAFF45330F144225F618D72E2E73848415766

Function 00856278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0151E558,?), ref: 008562E2
ScreenToClient.USER32(?,?), ref: 00856315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00856382

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction ID: 1be255b0b380951854d75fb57ba03486aa54f5ad3581d8347083bc47885e72d3
Opcode Fuzzy Hash: 7c7a7ca3302acaf76b3745099a3f4269ae9807294e8283ba0e73cf8ae33a4167
Instruction Fuzzy Hash: BB513A74A00209EFCF10DF68D884AAE7BB6FB45365F508169F815DB2A0E730ED95CB50

Function 007FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction ID: 413225fe76d7a2a60b8d8c35c765c48d7531b05ebcc46b1e472430f4e3de0cfb
Opcode Fuzzy Hash: fb5fa1af4f0bddc5b69b3c690a3e106c13dead4a2a29c2c2a590fae8327b4119
Instruction Fuzzy Hash: 63412B75900748FFD7249F78CC45B7E7BA9EB88710F10452AF251DB782D779A9018B90

Function 008356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00835783
GetLastError.KERNEL32(?,00000000), ref: 008357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008357FA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d42aea1653731cf36e8290a7d3d9f463790272587744dca777eed589b1e8ae32
Instruction ID: ba814c03e74319007079451c990c9fb31dfbc9b915675602eac088d0dd1be42a
Opcode Fuzzy Hash: d42aea1653731cf36e8290a7d3d9f463790272587744dca777eed589b1e8ae32
Instruction Fuzzy Hash: 7D410735600610DFCB15DF15D445A5ABBE2FF89320B18889CE84AAB362CB38FD41DF91

Function 007FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,007E6D71,00000000,00000000,007E82D9,?,007E82D9,?,00000001,007E6D71,?,00000001,007E82D9,007E82D9), ref: 007FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 007FD9AB
__freea.LIBCMT ref: 007FD9B4

Part of subcall function 007F3820: RtlAllocateHeap.NTDLL(00000000,?,00891444), ref: 007F3852

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction ID: a67935a3ce5eb81ecab97033b5f7cf2dfe53a34acc22a89c0e193ae56958b834
Opcode Fuzzy Hash: 4bcb5c6cb6de51fe7ba2c6927e3370973df0d8acb46dd037493df8300425fe2f
Instruction Fuzzy Hash: 2F31CF72A0020AABDF25DFA9DC45EBE7BA6EB40310F054168FD04D7251EB79ED50CBA0

Function 008552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00855352
GetWindowLongW.USER32(?,000000F0), ref: 00855375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00855382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008553A8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction ID: e8cd6899bd0ab7a2b5b42fc489343332621e904d830cd5821d90f3efa52701f0
Opcode Fuzzy Hash: 2c50d99ed814273fa30d42a3b093c1984075b7da759e951f273ec42e5eef5ce9
Instruction Fuzzy Hash: BE31C134A55A0CEFEF209F14CC25BE977A2FB06392F584016BE19D63E0C7B499889B41

Function 0082AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0082ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0082AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0082AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0082ACC6

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction ID: 24052af6ce448196f9b2b067141f0039d0165826be30b34962ea66a05c7ec4cc
Opcode Fuzzy Hash: 991fefb9558f6b69e8864a085315d1eb05e0034dfecd813a4c965c7aea39001e
Instruction Fuzzy Hash: 5931F430A04728AFFF298B65EC047FA7BAAFF89310F04421AE485D21D1D3798AC58752

Function 00857674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085769A
GetWindowRect.USER32(?,?), ref: 00857710
PtInRect.USER32(?,?,00858B89), ref: 00857720
MessageBeep.USER32(00000000), ref: 0085778C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction ID: 609ccaca42d67f0bf5e93689ede672ed168918dbdd3e20146ad2731dc25f36d6
Opcode Fuzzy Hash: 1f2948ca9719b7853ec5893925d5bf984f78b400f7dd8e76d685caa8fc001746
Instruction Fuzzy Hash: 2641AD34609255DFDB02DF58E898EA9BBF5FB49306F1880A9E814DB261C330A949CF90

Function 008516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008516EB

Part of subcall function 00823A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00823A57
Part of subcall function 00823A3D: GetCurrentThreadId.KERNEL32 ref: 00823A5E
Part of subcall function 00823A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008225B3), ref: 00823A65

GetCaretPos.USER32(?), ref: 008516FF
ClientToScreen.USER32(00000000,?), ref: 0085174C
GetForegroundWindow.USER32 ref: 00851752

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: bd90f8576d1621080a877ecc4c4e748e0ef8e788becbd5af2b5298600297dffd
Instruction ID: 04a69b51a870e35e28ef122b794e44ddc43f43ff39989d8b4204309de9d7ab0d
Opcode Fuzzy Hash: bd90f8576d1621080a877ecc4c4e748e0ef8e788becbd5af2b5298600297dffd
Instruction Fuzzy Hash: 6F313E75D00249AFCB04EFA9C885DAEBBF9FF48304B5480AEE415E7211DA359E45CBA1

Function 0082D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0082D501
Process32FirstW.KERNEL32(00000000,?), ref: 0082D50F
Process32NextW.KERNEL32(00000000,?), ref: 0082D52F
CloseHandle.KERNEL32(00000000), ref: 0082D5DC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 82054c3542f46efef9f5a11e796070392653c0ea5d869bb4b600581de3e4be3d
Instruction ID: 363e3dbc7e331407a2c147332b07faf7918c82c9a16b48b469cfed429637e90d
Opcode Fuzzy Hash: 82054c3542f46efef9f5a11e796070392653c0ea5d869bb4b600581de3e4be3d
Instruction Fuzzy Hash: 2D317E711083009FD301EF64D889EAFBBF8FF99354F14092DF581861A1EB75A985CBA2

Function 0082D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0085CB68), ref: 0082D2FB
GetLastError.KERNEL32 ref: 0082D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0082D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085CB68), ref: 0082D376

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 33e8878ae4be46efdb8d99daa479445a8e724d9492cd337a06551e5c2bc5bb09
Instruction ID: a6d9573114525e602ebcbe2a594d8c9e3847fd7d23cea738501b5e990c48854e
Opcode Fuzzy Hash: 33e8878ae4be46efdb8d99daa479445a8e724d9492cd337a06551e5c2bc5bb09
Instruction Fuzzy Hash: 39219F70508311DF8700DF28D8898AABBE4FE56324F504A1DF4A9C33A1E734D98ACB93

Function 00821571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0082102A
Part of subcall function 00821014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00821036
Part of subcall function 00821014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821045
Part of subcall function 00821014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0082104C
Part of subcall function 00821014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00821062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008215BE
_memcmp.LIBVCRUNTIME ref: 008215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00821617
HeapFree.KERNEL32(00000000), ref: 0082161E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction ID: 548ca70d21ef131f97330c38f53191bb6600d5ac9cf41f4a68769964a0992021
Opcode Fuzzy Hash: 11bf09595ec9e03b67b6cc3d67939dad841457bc89335d38b2f36455a6e38c4d
Instruction Fuzzy Hash: D5215771E40218AFDF00DFA4D949BEEB7B8FF64355F284459E441AB241E734AA85CBA0

Function 00852782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0085280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00852832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00852840

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b53609bdb560a92956cd3d9d03cc3b316df14cf7c640ca1fd43213b845e37026
Instruction ID: 135b8702c580bfc6f1af81fd9ca0debe89e4ddeaa441b78b99176e347ebab15a
Opcode Fuzzy Hash: b53609bdb560a92956cd3d9d03cc3b316df14cf7c640ca1fd43213b845e37026
Instruction Fuzzy Hash: A621E031204211AFD715DB24C845FAA7B95FF4A326F14825CF826CB2E2CB75EC86CB90

Function 008278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00828D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828D8C
Part of subcall function 00828D7D: lstrcpyW.KERNEL32(00000000,?,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00828DB2
Part of subcall function 00828D7D: lstrcmpiW.KERNEL32(00000000,?,0082790A,?,000000FF,?,00828754,00000000,?,0000001C,?,?), ref: 00828DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827923
lstrcpyW.KERNEL32(00000000,?,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00828754,00000000,?,0000001C,?,?,00000000), ref: 00827984

Strings

cdecl, xrefs: 0082797B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: affb5f606d4ce02cd3aaf556f7e78e3bbbf39e24003e3ae971103e591893e653
Instruction ID: 4cc5b1b5e32f759570d65d661da070cf690511eb82e05ad73b72eff9e56fb58e
Opcode Fuzzy Hash: affb5f606d4ce02cd3aaf556f7e78e3bbbf39e24003e3ae971103e591893e653
Instruction Fuzzy Hash: 7111E93A200311AFCB155F39E845D7A7BA9FF45354B50402AF946C73A4EB359891C761

Function 00857CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00857D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00857D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00857D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0083B7AD,00000000), ref: 00857D6B

Part of subcall function 007D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 007D9BB2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction ID: f0f9018e7c997cd12c22e31e2df93de26678e26fd412caddc2f7743dda57f0fa
Opcode Fuzzy Hash: 29f16de3eb94c9bb900f0b231cf287ea3ce600ce1b4e9cd865cbf041b7f5d40e
Instruction Fuzzy Hash: F511C031208615AFCB119F68DC08A663BA5FF45362B158325FC35D72F0E7319D58CB40

Function 00855660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008556BB
_wcslen.LIBCMT ref: 008556CD
_wcslen.LIBCMT ref: 008556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00855816

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction ID: 80497c34372689ac38e4326afe80b6442c9c87ac5399206bfb02d56bc2cf8b68
Opcode Fuzzy Hash: e30a79a35be292e8237882c49a82506f22a3ba703430d72d5a24d931fdfb661a
Instruction Fuzzy Hash: 78110375600608E6DF209FA1DC95AEE3BBCFF10766B10402AFD15E6081E774DA88CF64

Function 008214CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00821506
CloseHandle.KERNEL32(00000004), ref: 00821520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0082154F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction ID: c351abba588df93283ff7ce8143043d5209ab53554e2641ff34bd23c3dc7500b
Opcode Fuzzy Hash: 5451372b3118de1686bd800bab08465259aed05bf198d302f985ff9cabc0125f
Instruction Fuzzy Hash: 9D11597250030DAFDF118F98EE49BDE7BA9FF48705F144055FA05A2160C3758EA0DB60

Function 007F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194832ff5efd9076562af2ccd368e6a386a4f53a3c9e1d91898e526e4ac907d1
Instruction ID: 29c6ff9fcc1fb595059bcf3d7e687bb26dd0a1592f650bccda71a47bba365e93
Opcode Fuzzy Hash: 194832ff5efd9076562af2ccd368e6a386a4f53a3c9e1d91898e526e4ac907d1
Instruction Fuzzy Hash: FB018BB2319A1EBEF62126786CC4F37662DEF413B8F750329F721A13D2DB689C005660

Function 00821A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00821A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00821A8A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction ID: 3ffa6e1ff2079fc697f31343067d5e5f9579d6a7540f9d3ea07929b0e88bffdc
Opcode Fuzzy Hash: 012da72f200f9bf224f970f9dd1878b903616105602654dd20fd819a93dc95a5
Instruction Fuzzy Hash: 4411273A901229FFEF109BA4C985FADBB78FB18750F2000A1EA01B7290D7716E50DB94

Function 0082E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0082E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0082E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0082E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0082E24D

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction ID: 018cd9a0417559ca4fcb9066f1fe4e6784fbd834559024f2f95850d4f93fd64c
Opcode Fuzzy Hash: 316a44e6096717b84bf5cc66827918ef1a64143ec1915203cd7204a4afc3a186
Instruction Fuzzy Hash: A211C876904369FFCB019FA8AC09A9E7FACFB45311F144256F925E3391D7788D448BA0

Function 007ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,007ECFF9,00000000,00000004,00000000), ref: 007ED218
GetLastError.KERNEL32 ref: 007ED224
__dosmaperr.LIBCMT ref: 007ED22B
ResumeThread.KERNEL32(00000000), ref: 007ED249

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction ID: 05dfce3369ded3d257633fa17cbe80c208fd1aa6d83d913b8147c74408f35b40
Opcode Fuzzy Hash: ecb72ffcaba6a0084995e957d87dcbd38a3c3bfdf587210f562755fbe667050c
Instruction Fuzzy Hash: C501D636807248BFC7215BA7DC09BAE7A6DFF89731F104219FA25961D0DB798D01C6A1

Function 007C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
GetStockObject.GDI32(00000011), ref: 007C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction ID: bf4baeca850e2db19c7020c8150d29feeee5a47227792aba920921385075aa40
Opcode Fuzzy Hash: 258b484dc80b37fff443c0149232558a5f0dc52f5abd0e21c627a19bd228206c
Instruction Fuzzy Hash: F7115E72501609BFEF125F949C84FEA7BA9FF18755F050119FA1562110D73A9CA09F90

Function 007E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 007E3B56

Part of subcall function 007E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 007E3AD2
Part of subcall function 007E3AA3: ___AdjustPointer.LIBCMT ref: 007E3AED

_UnwindNestedFrames.LIBCMT ref: 007E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 007E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 007E3BA4

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b22b94fcf7a57680e310593f851e22bec77f6833764d96f381c090a273ea2aa
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 04012972101189BBDF126E96CC4AEEB3B6EEF8C754F044014FE4896121C73AE961DBA0

Function 007F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007C13C6,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue), ref: 007F30A5
GetLastError.KERNEL32(?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000,00000364,?,007F2E46), ref: 007F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007F301A,007C13C6,00000000,00000000,00000000,?,007F328B,00000006,FlsSetValue,00862290,FlsSetValue,00000000), ref: 007F30BF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction ID: 543377cf383ee4bbef506858192cd46cd8d86d67dcf1b289f34dc980345c7c89
Opcode Fuzzy Hash: 759bf9fbc23ee342007876943f9aa64ef946c5ff1bd791a5f275f9fedff6b5ae
Instruction Fuzzy Hash: 1D01D43230132AAFCB214A799C449777B9AAF05BA1B210721FA06E3340CF29D941CAE0

Function 00827464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0082747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00827497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008274CA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction ID: 73266e8d6abfd8105bf035138071218a265140cfb0f16e048aab876064ed12d0
Opcode Fuzzy Hash: f28ae5105384577044e8e08f0e292d5cfa37e63f0e16f7aef19c06d6115554d8
Instruction Fuzzy Hash: 7811ADB1205325AFE720AF15EC08FA27BFCFB00B04F508569E616D6191D7B4E984DFA5

Function 0082B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0082ACD3,?,00008000), ref: 0082B126

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction ID: e6fbef56875121e685d5b8f0d59841209ee78f8a7e869b2d9bec725b244dde7c
Opcode Fuzzy Hash: e836b0a1da72951e91dc024a30b3f3502ce77d8c6ef12fa0579bc7fb5447cae1
Instruction Fuzzy Hash: A5112D31D02A3DEBCF00AFE4E9696EEBF78FF49711F114096D941B2281DB3456A08B55

Function 00822DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00822DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00822DD6
GetCurrentThreadId.KERNEL32 ref: 00822DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00822DE4

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction ID: 477537475445f521050b83ab4d334cc21b933026ce8d26cc5d7fa530c3fdea8a
Opcode Fuzzy Hash: f858f8caeb5752bcbab7b192152ccd47b3756abdb8063a448125556b885a0808
Instruction Fuzzy Hash: F3E0EDB25417387BD7201B72AC0DEEB7EACFB56BA2F400119B506D50909AA99985CAB0

Function 00858863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D9693
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96A2
Part of subcall function 007D9639: BeginPath.GDI32(?), ref: 007D96B9
Part of subcall function 007D9639: SelectObject.GDI32(?,00000000), ref: 007D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00858887
LineTo.GDI32(?,?,?), ref: 00858894
EndPath.GDI32(?), ref: 008588A4
StrokePath.GDI32(?), ref: 008588B2

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction ID: ed4f286f9a576607ed99eeb52b5f6515cbd4af09861fd418e9a0b2801560340e
Opcode Fuzzy Hash: 95c932b87889642c742b5852a2e0d59e2f37f9db97db3cbd9ab53f0c33376d43
Instruction Fuzzy Hash: 87F03A36045759FADB126F94AC0DFCA3F69BF06312F448001FA11650E1C7795511CFA5

Function 007D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D98CC
SetTextColor.GDI32(?,?), ref: 007D98D6
SetBkMode.GDI32(?,00000001), ref: 007D98E9
GetStockObject.GDI32(00000005), ref: 007D98F1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction ID: 7e2710584abb0d55fa5ae400ea544202b6c31c0081ea8e9773e00c1863a5a7e3
Opcode Fuzzy Hash: b2ea3a2d1f04728c0bf0e07ec02e3e165b07bf5013e640b0df696f2988626d6c
Instruction Fuzzy Hash: 66E06D31284780AEDB215B78AC09BE83F21FB12376F04821AF7FA980E1C77546809F10

Function 0082162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00821634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008211D9), ref: 00821648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008211D9), ref: 0082164F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction ID: 307ab00bd70c5e323d683c531c37d37db62ddfe5b4deb5a23c80e6c7f17b0977
Opcode Fuzzy Hash: b05583b22f4c9b77825b204d794dc10d236082f3d2d2e4d56931853df6cc2b89
Instruction Fuzzy Hash: 95E04F71602321AFDB201BA1AD0DB8A3B68FF64B93F144808F245C9080D6284480CB50

Function 0081D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D858
GetDC.USER32(00000000), ref: 0081D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7bf3ef87bec68182e1b71a50ff79d75dd981dcd467a9f7802ca5bddda9499244
Instruction ID: 2122ce86a743e8bf9fdece4e4af494ba75e061e3ad753030cbb76c33171f4755
Opcode Fuzzy Hash: 7bf3ef87bec68182e1b71a50ff79d75dd981dcd467a9f7802ca5bddda9499244
Instruction Fuzzy Hash: BDE075B5800305DFCB519FA09908A6DBBF5FB58712B14945DE84AE7250D73C5A41AF50

Function 0081D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081D86C
GetDC.USER32(00000000), ref: 0081D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0081D882
ReleaseDC.USER32(?), ref: 0081D8A3

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bd8877638c4adb6d765363706edddf2d4cdc1a99285ab24e85f0f475a6a50c14
Instruction ID: 2bf02e4f3862b3768e6e047bc2f1dda6218a5b5b0eef81d18ef1f5dd985acdc5
Opcode Fuzzy Hash: bd8877638c4adb6d765363706edddf2d4cdc1a99285ab24e85f0f475a6a50c14
Instruction Fuzzy Hash: D6E07EB5800304EFCB51AFA09808A6DBBF5BB58712B14944DE94AE7250DB3C5A02AF50

Function 00834D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007C7620: _wcslen.LIBCMT ref: 007C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00834ED4

Strings

LPT, xrefs: 00834DFB
*, xrefs: 00834E10

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 3e2613104bfd19f2f876e415b742945530c958f7aed59dedecc91e11e913a893
Instruction ID: b555e8cce4bbf901e78aaf014cbc8ac07a03759b4e0a8da3e3a5d23bc8641b6e
Opcode Fuzzy Hash: 3e2613104bfd19f2f876e415b742945530c958f7aed59dedecc91e11e913a893
Instruction Fuzzy Hash: 0C912C75A002049FCB14DF58C484EA9BBF1FF85318F19909DE80A9B362DB75ED85CB91

Function 00824D9F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00824F4B

Strings

AutoIt3GUI, xrefs: 00824EB3
Container, xrefs: 00824EBA

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 99bc0357579a695734be9e2d0fe0a2f76b71dd23dfeb49daff4ac1763c994124
Instruction ID: 70a72f3a2bf0bac33af58f7c9e040237ee01ebe54c07df111b01052b87367c72
Opcode Fuzzy Hash: 99bc0357579a695734be9e2d0fe0a2f76b71dd23dfeb49daff4ac1763c994124
Instruction Fuzzy Hash: F6815A70200611AFDB14DF58C988A6ABBF5FF48705F14856EF94ADB391DBB0E885CB60

Function 007EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007EE30D

Strings

pow, xrefs: 007EE2E5, 007EE302

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction ID: a060e99bbe2bcb9fc0b03818c9fdbe75295246ca01e3dd15cb22ce4ef06166b0
Opcode Fuzzy Hash: 20578f5d99fdeabebcb6fc66edadaa1caa4a7bc3de4be22c8e628955f87e1117
Instruction Fuzzy Hash: 7E51AA61A0E64AD6CB197B15CD4537A3BA8FB04740F348DA9E1D1823E9EF3C8C91DA46

Function 007DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 007DE1B1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 0a32950f684ffef6c87a801c03f75b359ba74b615ce7146d533a0a2c9d381b8a
Instruction ID: 772344bc0c62f28b86ca473b75b27b020ce0def21ce891dc3f94981b1c906211
Opcode Fuzzy Hash: 0a32950f684ffef6c87a801c03f75b359ba74b615ce7146d533a0a2c9d381b8a
Instruction Fuzzy Hash: 2C510575500246DFEB15EF68C485AFA7BB8FF55310F24445AEC51DB2D0D638AD82CB60

Function 007DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 007DF2BB

Strings

@, xrefs: 007DF2AF

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a7ac83ec1c52984d5779f432e963321da4062a325cd31bc5841e2d363baa2082
Instruction ID: fe45713c5ce83b088f56652ad8fc277741686fbd8f7ce28d526c79908076813b
Opcode Fuzzy Hash: a7ac83ec1c52984d5779f432e963321da4062a325cd31bc5841e2d363baa2082
Instruction Fuzzy Hash: 22513472418B44DBD320AF14DC8ABAFBBF8FB84300F81885DF1D9411A5EB749569CB66

Function 00845745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008457E0
_wcslen.LIBCMT ref: 008457EC

Strings

CALLARGARRAY, xrefs: 008457E6, 008457EB

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 1b044a732704c55a654c59641aaff8219b466840bbfbbb9ec51f458c2096137f
Instruction ID: 297a8777ea2817bfb68b8d590d36ccaac18637679dd9595992486654a1096234
Opcode Fuzzy Hash: 1b044a732704c55a654c59641aaff8219b466840bbfbbb9ec51f458c2096137f
Instruction Fuzzy Hash: FB418C31A00209DFCB14EFA9C8859AEBBF5FF59724F10406DE505E7292EB349D81CBA0

Function 0083D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0083D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0083D13A

Strings

|, xrefs: 0083D10B

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8a9004c4755ebb8979f6058b248dc07d22a82c1982950593acaf02811e7c635f
Instruction ID: 84f4ff75506f875dd1ea11bb9cbd01811996f87c3ad7c900411dfbc86baacfec
Opcode Fuzzy Hash: 8a9004c4755ebb8979f6058b248dc07d22a82c1982950593acaf02811e7c635f
Instruction Fuzzy Hash: EB310771D00209EBCF15EFA5DC89EEEBFB9FF48304F000019E815A6162E735AA16CB90

Function 0085356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00853621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0085365C

Strings

static, xrefs: 008535BC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c7db4c5e1c7a0e3f4ace31f92bece90854e6e2a1ba88ee7bdeceb027634b00f1
Instruction ID: 26884efd8344ab539a03b7ea5944164997849e0272dc4ec7ef48d4fc8361d5da
Opcode Fuzzy Hash: c7db4c5e1c7a0e3f4ace31f92bece90854e6e2a1ba88ee7bdeceb027634b00f1
Instruction Fuzzy Hash: DE318C71100604AEDB109F28DC80EBB73A9FF98765F10961DF8A5D7290DA34AD85DB60

Function 00854537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0085461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00854634

Strings

', xrefs: 0085458E

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction ID: 8640ab8ef240325ee068772c0b57b8e17c92c57ae515d44e8dc0dc719c1c9e5a
Opcode Fuzzy Hash: 60a34ef5cc03cd5f44f9f39cd30c5c475384b64a470a45c3c543652b5f6e5cfb
Instruction Fuzzy Hash: 76311774A0120AAFDB14CF69C990BDABBB5FB09305F14506AED04EB341E770A985CF90

Function 008531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0085327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00853287

Strings

Combobox, xrefs: 00853249

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction ID: 729a6476a825ee1a17a9968382750055ac57c62786effabe0b7d3114b4c140a9
Opcode Fuzzy Hash: 3012a9e9997bf34d44aa7a65d7f79c2d5e754ca4ec40bae30a0f4a24cfb4e3cc
Instruction Fuzzy Hash: A811B271304608BFEF219E54DC84EBB376BFB943A6F104129F918E7290D6359D558760

Function 00853710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007C604C
Part of subcall function 007C600E: GetStockObject.GDI32(00000011), ref: 007C6060
Part of subcall function 007C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007C606A

GetWindowRect.USER32(00000000,?), ref: 0085377A
GetSysColor.USER32(00000012), ref: 00853794

Strings

static, xrefs: 00853757

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction ID: 12d96dc54db6a9f0dc585e2ff54b6851160c6bc5635c5782badf5c66614fc2eb
Opcode Fuzzy Hash: 83a36eddb9aac5877f76159b075679f79b69bd36b248a4a0f3f9ed343fde70b8
Instruction Fuzzy Hash: 111129B2A10209AFDF00DFA8CC45EFA7BB8FB08355F004529FD55E2250E735E9559B50

Function 0083CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0083CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0083CDA6

Strings

<local>, xrefs: 0083CD66

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction ID: 147cb812547f45733ec3c67fbb91f46c71496bd83cbc33cecd65152e3f14633e
Opcode Fuzzy Hash: aa9b9971f1ad64919247c7d658229d5488b80ed0e015264fe50d49e4817c9565
Instruction Fuzzy Hash: 6411C275205635BED7385B668C49EE7BEADFF927A8F00422AB109E3180D7749840D7F0

Function 00853429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008534BA

Strings

edit, xrefs: 0085348F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction ID: a8ec8437b6e24e2803c080bce1997bd73bfc4e16f49eeb51c66cc9d73698b3c1
Opcode Fuzzy Hash: 1177f9945a4cb55f82c0977bad86ff1692f563bea0903a007d0a83fd338b8416
Instruction Fuzzy Hash: D2119D71100208AFEF114E64DC44AAB376AFB243B9F504724FD61D31D0C735DD999B58

Function 00826C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00826CB6
_wcslen.LIBCMT ref: 00826CC2

Strings

STOP, xrefs: 00826CBC, 00826CC1

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: aea1e0ed5ac7fa77c0652a84447b8979d3feb9fdddb04006ef819f4af36a5f71
Instruction ID: 443125ecc5327234e48ad606cc77d49bde52ab192c8e15886d4a116dc820cd51
Opcode Fuzzy Hash: aea1e0ed5ac7fa77c0652a84447b8979d3feb9fdddb04006ef819f4af36a5f71
Instruction Fuzzy Hash: 89010032A0053A8BCB20AFFDEC849BF73E4FB607147400528E862D3190FA36D9A0C650

Function 00821CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00821D4C

Strings

ComboBox, xrefs: 00821CEB
ListBox, xrefs: 00821D16

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 015119a57bab5076e69786d69c4d09ffec15de2c5a459177cf33405be9f666da
Instruction ID: acbd12aa05ac1d6b35c5df17118d523f500d00ab5a457c7ebcc161206cafeddd
Opcode Fuzzy Hash: 015119a57bab5076e69786d69c4d09ffec15de2c5a459177cf33405be9f666da
Instruction Fuzzy Hash: C401B575601228EBCF54EBA4EC59DFE77A8FB66350B14051DF832A73C1EA3459488760

Function 00821BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00821C46

Strings

ComboBox, xrefs: 00821BE5
ListBox, xrefs: 00821C10

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f7d663ccd4849e7fdf2661e396ea12ac245af9600405c79cd48af0ecc7f0da4a
Instruction ID: 8d97e4c39c49792fa1dd8f984982b21953e40f0fd0ef146881a3764089269cff
Opcode Fuzzy Hash: f7d663ccd4849e7fdf2661e396ea12ac245af9600405c79cd48af0ecc7f0da4a
Instruction Fuzzy Hash: C901AC75641118A6CF14FBA0D959EFF77E8FB31340F14001DA916B7281EA289F5887B1

Function 00821C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007C9CB3: _wcslen.LIBCMT ref: 007C9CBD

Part of subcall function 00823CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00823CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00821CC8

Strings

ComboBox, xrefs: 00821C69
ListBox, xrefs: 00821C94

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cb4fc01c7c8478e3fb74cd40590cf7de5031c9b50779dfa0affeb2777da97cb3
Instruction ID: 3d63aa1b108c68fc5c3ab7ae6744be395a5c79e39fa0caf8a81952c70bf8f9bc
Opcode Fuzzy Hash: cb4fc01c7c8478e3fb74cd40590cf7de5031c9b50779dfa0affeb2777da97cb3
Instruction Fuzzy Hash: 06016775641128A6CF14FBA4DA19EFE77E8FB21340B64001DB911F3281EA699F588771

Function 0084747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00847493
_wcslen.LIBCMT ref: 008474B9

Strings

3, 3, 16, 1, xrefs: 00847483

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction ID: 00d55c2b66d4230e393962a9223cce3db8ef2cc7c8245b6b70377638fbc87928
Opcode Fuzzy Hash: 9e6789c4df23bd860134a427fa3d340e76f753d04e6cb31080daee3226bda644
Instruction Fuzzy Hash: A4E02B42205260609231227A9CC597F5789EFDD750710182BF981D2267EB98DD9193F5

Function 00820B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00820B23

Strings

AutoIt, xrefs: 00820B17
Error allocating memory., xrefs: 00820B1C

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: ac184e5a2a3a550b18203966a7e5a8fe84001482a972acdf05551205f92e8131
Instruction ID: 3d2f66299078dc686590fc344f3244d226fdff7accff9dbf809e6420f4cbc081
Opcode Fuzzy Hash: ac184e5a2a3a550b18203966a7e5a8fe84001482a972acdf05551205f92e8131
Instruction Fuzzy Hash: 88E0D8312443186ED21036957C0BF897F94EF09F61F10046BFB98D56C38AE928904AE9

Function 007E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(00890A88,00000000,00890A74,007E0D71,?,?,?,007C100A), ref: 007DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,007C100A), ref: 007E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007C100A), ref: 007E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 007E0D7F

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction ID: 0036ca8fd212bd09689b395a5af908993533146ef0fbad24d1cfbb0848676cb9
Opcode Fuzzy Hash: d3d6c6765fef715615ceb604ffbbb37a16fc3c0d2da8640bf1458557b328ecae
Instruction Fuzzy Hash: 40E039742003418BD320AFA9D8487467BE0BB04756F00492DE882CA652DBF8E4888BE1

Function 00833017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0083302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00833044

Strings

aut, xrefs: 00833038

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction ID: 98e58a1145cb6b1606809b517cf45f24df94bf0d7320a8b3f47ecbb33bf51f69
Opcode Fuzzy Hash: b65a86947dcca7bd0ad053875919d661ff12d1bde9fc5c50fa58fdf04fef556d
Instruction Fuzzy Hash: C9D05E765003286BDA30A7A4AC4EFCB3B6CEB04751F0002A1B655E2091EAB89984CFD0

Function 0081D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0081D220

Strings

%.3d, xrefs: 0081D22B
X64, xrefs: 0081D2A8

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction ID: d63547bdff0160e4fe89bb17e897f72241467a58c9e3b795673c680c6f15385e
Opcode Fuzzy Hash: e625a9d04a2b230b19980cd4d3c6d7d92aa5014bf608326178f50f6855b0e3b6
Instruction Fuzzy Hash: B9D012A180831CE9CB5096E0CC49AF9B37CFF19305F608453F826D1140D63CE9886B61

Function 00852322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0085233F

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852325

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction ID: 130bd091dcdfb62f1cc70c64e59a1e4b116a5e3fdbbd94a29f60472ba0349ff3
Opcode Fuzzy Hash: 685b92d40226fb0dbd32b15cfd7944dc2815ef9903bc58227c504fe8f131d39d
Instruction Fuzzy Hash: FCD0A932380310BAE2A4B770AC1FFC66A04BB00B01F004A067205EA1D0D8A8A8418A44

Function 00852356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085236C
PostMessageW.USER32(00000000), ref: 00852373

Part of subcall function 0082E97B: Sleep.KERNEL32 ref: 0082E9F3

Strings

Shell_TrayWnd, xrefs: 00852365

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction ID: 22ea5ccbd88cc356f63a1a5a9610c0acc21afb50a5c48046be8a367c77a4febf
Opcode Fuzzy Hash: 277f9fd82da595071ca0769d738333ac62bb1d3060e880f40fcc39aed8d202e5
Instruction Fuzzy Hash: 2BD0A9323803107AE2A4B770AC0FFC66A04BB00B01F004A067201EA1D0D8A8A8418A48

Function 007FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 007FBE93
GetLastError.KERNEL32 ref: 007FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007FBEFC

Memory Dump Source

Source File: 00000000.00000002.1740122961.00000000007C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007C0000, based on PE: true

Associated: 00000000.00000002.1740098164.00000000007C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.0000000000882000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000088C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.000000000089C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740122961.00000000008E4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740648152.00000000008EA000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1740682303.00000000008EB000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c0000_tN8GsMV1le.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
Instruction ID: e5c26a6c2c74baa128d4fef73abc30e204b5a3684a30d56416a15e0b6e9984eb
Opcode Fuzzy Hash: 77e2208cd9a11b475014227fe4451e8599156747b0457ec6b3201ec7815b9f3c
Instruction Fuzzy Hash: E241F53560120AEFCF218FA5CC84ABA7BE5EF45320F144169FA59973A1DB388D00DB61

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tN8GsMV1le.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Halitherses

C:\Users\user\AppData\Local\flexuosely\ageless.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ageless.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
tN8GsMV1le.exe

Function 007C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 007C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 007C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00802BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0080065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 007C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 007C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 007C2CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 017CDF00 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 007C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 008EA700 Relevance: 7.7, APIs: 5, Instructions: 207
librarymemoryloaderCOMMON

Function 017CF9B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164
fileCOMMON

Function 007C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre