Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	861720
MD5:	9b2514f290b0e5fe4cd2e6f1745ea188
SHA1:	5a4ab23846c5425abba98c24009c561a787dadfb
SHA256:	c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
Tags:	exe
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Writes to foreign memory regions

Found strings related to Crypto-Mining

Monitors registry run keys for changes

Detected Stratum mining protocol

Allocates memory in foreign processes

Contains functionality to modify clipboard data

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

file.exe (PID: 3988 cmdline: C:\Users\user\Desktop\file.exe MD5: 9B2514F290B0E5FE4CD2E6F1745EA188)

file.exe (PID: 4788 cmdline: C:\Users\user\Desktop\file.exe MD5: 9B2514F290B0E5FE4CD2E6F1745EA188)

notepad.exe (PID: 7152 cmdline: C:\Windows\notepad.exe" -c "C:\ProgramData\zmWLVbyRgm\cfg MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\zmWLVbyRgm\cfgi	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
C:\ProgramData\zmWLVbyRgm\cfg	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.526929081.000002347DEC2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.267648050.0000000004D00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.267053269.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.270563383.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.266004196.0000000004DFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.270272153.0000000004F03000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.278820913.0000000004E01000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000002.525895989.000000000050D000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth (Nextron Systems)	0xd99d0:$x1: xmrig.exe 0xd98b8:$x2: xmrig.com 0xd9994:$x2: xmrig.com
00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.266165449.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.272024237.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.265865219.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.267996427.0000000004E07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.266668654.0000000004BFA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.276116511.00000000049FB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000002.279512989.0000000005220000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.268978093.0000000004F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.266256656.0000000004F08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0xdb424:$sa1: stratum+tcp://
0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0xda7ee:$s05: --nicehash
0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.272318820.0000000004D00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.266446164.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.272576404.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000000.00000003.267449934.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: notepad.exe PID: 7152	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth (Nextron Systems)	0x9ac8:$sa1: stratum+tcp:// 0x9b06:$sa1: stratum+tcp://
Process Memory Space: notepad.exe PID: 7152	PUA_Crypto_Mining_CommandLine_Indicators_Oct21	Detects command line parameters often used by crypto mining software	Florian Roth (Nextron Systems)	0x8e0b:$s05: --nicehash
Process Memory Space: notepad.exe PID: 7152	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.file.exe.14f9a18.1.raw.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth (Nextron Systems)	0x5ffb8:$x1: xmrig.exe 0x5fea0:$x2: xmrig.com 0x5ff7c:$x2: xmrig.com
1.2.file.exe.14f9a18.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4d10020.6.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.file.exe.4e19000.2.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e15020.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4f17020.10.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4b0c020.13.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4d17020.8.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e14020.2.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4c11020.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.file.exe.4e19000.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4d17020.12.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.file.exe.5220000.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.2.file.exe.1480000.2.raw.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth (Nextron Systems)	0xd99d0:$x1: xmrig.exe 0xd98b8:$x2: xmrig.com 0xd9994:$x2: xmrig.com
1.2.file.exe.1480000.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4c11020.5.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4d09020.0.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e15020.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4f1f020.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.file.exe.5220000.5.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4f07020.7.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e14020.2.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.2.file.exe.1480000.2.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth (Nextron Systems)	0xd87d0:$x1: xmrig.exe 0xd86b8:$x2: xmrig.com 0xd8794:$x2: xmrig.com
1.2.file.exe.1480000.2.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4f07020.7.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.2.file.exe.4e00000.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
1.2.file.exe.14f9a18.1.unpack	PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20	Detects XMRIG crypto coin miners	Florian Roth (Nextron Systems)	0x5ffb8:$x1: xmrig.exe 0x5fea0:$x2: xmrig.com 0x5ff7c:$x2: xmrig.com
1.2.file.exe.14f9a18.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e1e020.9.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4c16020.11.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4a12020.14.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4c16020.11.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e07020.4.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0.3.file.exe.4e07020.4.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 29 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 75%
Source: file.exe	Virustotal: Detection: 71%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\zmWLVbyRgm\lsas.exe

Avira: detection malicious, Label: HEUR/AGEN.1319206

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\zmWLVbyRgm\lsas.exe	ReversingLabs: Detection: 75%
Source: C:\ProgramData\zmWLVbyRgm\lsas.exe	Virustotal: Detection: 71%			Perma Link

Source: 0.2.file.exe.5220000.5.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.file.exe.1480000.2.unpack	Avira: Label: TR/ATRAPS.Gen

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 1.2.file.exe.14f9a18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4d10020.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4e19000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e15020.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f17020.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4b0c020.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4d17020.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e14020.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4c11020.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4e19000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4d17020.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5220000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.1480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4c11020.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4d09020.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e15020.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f1f020.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f07020.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e14020.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.1480000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4f07020.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4e00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.14f9a18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e1e020.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4c16020.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4a12020.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4c16020.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e07020.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.4e07020.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.526929081.000002347DEC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.267648050.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.267053269.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.270563383.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266004196.0000000004DFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.270272153.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.278820913.0000000004E01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.525895989.000000000050D000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266165449.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272024237.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265865219.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.267996427.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266668654.0000000004BFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.276116511.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.279512989.0000000005220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.268978093.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266256656.0000000004F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272318820.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.266446164.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.272576404.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.267449934.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\zmWLVbyRgm\cfgi, type: DROPPED
Source: Yara match	File source: C:\ProgramData\zmWLVbyRgm\cfg, type: DROPPED

Found strings related to Crypto-Mining

Source: notepad.exe, 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: file.exe	String found in binary or memory: { "algo": "cryptonight",
Source: file.exe	String found in binary or memory: XMRMiner3
Source: notepad.exe, 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: notepad.exe, 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: stratum+tcp://
Source: notepad.exe, 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: file.exe	String found in binary or memory: XMRig CPU miner

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.3:49700 -> 141.94.96.71:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49701 -> 141.94.96.71:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49702 -> 141.94.96.195:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49703 -> 141.94.96.71:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49704 -> 141.94.96.195:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49705 -> 141.94.96.195:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49706 -> 141.94.96.144:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49707 -> 141.94.96.144:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49708 -> 141.94.96.71:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49709 -> 141.94.96.144:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49710 -> 141.94.96.71:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49711 -> 141.94.96.195:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.
Source: global traffic	TCP traffic: 192.168.2.3:49712 -> 141.94.96.195:5555 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47g8kfjfmjnakxtwf6yvp8gjvfcbgfgc7gqy77ua91jhdtu58zgxe24ymfzb8kzyqymk2gzgazqk8ioqznxzcpzgefdffxx","pass":"xmrminer3","agent":"xmrig/2.6.2 (windows nt 10.0; win64; x64) libuv/1.20.2 gcc/7.3.0","algo":["cn/1","cn/0","cn/xtl","cn"]}}.

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5220000.5.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000002.279190942.0000000005090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.278986654.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, 00000000.00000002.279190942.0000000005090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.278986654.0000000004F00000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEDD92 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AEDD92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B22044
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B2219F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1F350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B224A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B22044
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B2219F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B224A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B16B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00B16B3F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B16E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00B16E4A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.195 5555	Jump to behavior
Source: C:\Windows\notepad.exe	Domain query: pool.supportxmr.com
Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.71 5555	Jump to behavior
Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.144 5555	Jump to behavior

Source: Joe Sandbox View

ASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese

Source: Joe Sandbox View	IP Address: 141.94.96.195 141.94.96.195
Source: Joe Sandbox View	IP Address: 141.94.96.71 141.94.96.71

Source: global traffic	TCP traffic: 192.168.2.3:49698 -> 149.210.249.142:11119
Source: global traffic	TCP traffic: 192.168.2.3:49700 -> 141.94.96.71:5555
Source: global traffic	TCP traffic: 192.168.2.3:49702 -> 141.94.96.195:5555
Source: global traffic	TCP traffic: 192.168.2.3:49706 -> 141.94.96.144:5555

Source: file.exe, 00000001.00000002.527597692.00000000018A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.527597692.0000000001867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://149.210.249.142:11119/xmr/fsociety.txt
Source: file.exe, 00000001.00000002.527597692.0000000001867000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://149.210.249.142:11119/xmr/fsociety.txtx

Source: unknown

DNS traffic detected: queries for: pool.supportxmr.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B27294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00B27294

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B27099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00B27099

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B3F5D0 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B3F5D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B14342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B14342

Source: C:\Users\user\Desktop\file.exe

1_2_00B27099

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.file.exe.14f9a18.1.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth (Nextron Systems), description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 1.2.file.exe.1480000.2.raw.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth (Nextron Systems), description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 1.2.file.exe.1480000.2.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth (Nextron Systems), description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 1.2.file.exe.14f9a18.1.unpack, type: UNPACKEDPE	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth (Nextron Systems), description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20 date = 2020-12-31, hash1 = b6154d25b3aa3098f2cee790f5de5a727fc3549865a7aa2196579fe39a86de09, author = Florian Roth (Nextron Systems), description = Detects XMRIG crypto coin miners, reference = https://www.intezer.com/blog/research/new-golang-worm-drops-xmrig-miner-on-servers/
Source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero
Source: Process Memory Space: notepad.exe PID: 7152, type: MEMORYSTR	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth (Nextron Systems), description = Detects mining pool protocol string in Executable, nodeepdive = , score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26
Source: Process Memory Space: notepad.exe PID: 7152, type: MEMORYSTR	Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth (Nextron Systems), description = Detects command line parameters often used by crypto mining software, score = , reference = https://www.poolwatch.io/coin/monero

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B182D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00B182D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B182D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_00B182D0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE3680	0_2_00AE3680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AE2B40	0_2_00AE2B40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADDCD0	0_2_00ADDCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AFBDF6	0_2_00AFBDF6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ADA0C0	0_2_00ADA0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF0183	0_2_00AF0183
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0113E	0_2_00B0113E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1220C	0_2_00B1220C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0542F	0_2_00B0542F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3F5D0	0_2_00B3F5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD8530	0_2_00AD8530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD6670	0_2_00AD6670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B08779	0_2_00B08779
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B3A8DC	0_2_00B3A8DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B0599F	0_2_00B0599F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ADA0C0	1_2_00ADA0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF0183	1_2_00AF0183
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B1220C	1_2_00B1220C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AD8530	1_2_00AD8530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF0677	1_2_00AF0677
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AD6670	1_2_00AD6670
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B08779	1_2_00B08779
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B3A8DC	1_2_00B3A8DC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF0A8F	1_2_00AF0A8F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AD6BBC	1_2_00AD6BBC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AE2B40	1_2_00AE2B40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AD8CA0	1_2_00AD8CA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AFAC83	1_2_00AFAC83
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AEAD5C	1_2_00AEAD5C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B04EBF	1_2_00B04EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF0EC4	1_2_00AF0EC4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B330AD	1_2_00B330AD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B0113E	1_2_00B0113E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF12F9	1_2_00AF12F9

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00ADCAEE appears 41 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AF247B appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AF7750 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AEF885 appears 56 times

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B0B9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B0B9F1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B170AE: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B170AE

Source: file.exe, 00000000.00000003.276812963.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEinSx vs file.exe
Source: file.exe, 00000000.00000003.276812963.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccf1df< vs file.exe
Source: file.exe, 00000000.00000003.277134475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEinSx vs file.exe
Source: file.exe, 00000000.00000003.277134475.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccf1df< vs file.exe
Source: file.exe, 00000000.00000002.279190942.00000000051AF000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe, 00000000.00000003.275999979.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEm vs file.exe
Source: file.exe, 00000000.00000003.275999979.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.273040301.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEinSx vs file.exe
Source: file.exe, 00000000.00000003.273040301.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccf1df< vs file.exe
Source: file.exe, 00000000.00000002.278290672.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAMEinSx vs file.exe
Source: file.exe, 00000000.00000002.278290672.00000000011DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameccf1df< vs file.exe
Source: file.exe, 00000000.00000002.278986654.0000000005016000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename vs file.exe

Source: file.exe	ReversingLabs: Detection: 75%
Source: file.exe	Virustotal: Detection: 71%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\zmWLVbyRgm\cfg
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\zmWLVbyRgm\cfg	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B0B8B0 AdjustTokenPrivileges,CloseHandle,

0_2_00B0B8B0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\blsncxvoxmotpljzrxtwkmpap5606009.png

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\autF235.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.spyw.evad.mine.winEXE@5/5@13/4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B11050 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,

0_2_00B11050

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B1EA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00B1EA85

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B1D712 GetLastError,FormatMessageW,

0_2_00B1D712

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B16F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,

1_2_00B16F5B

Source: C:\Users\user\Desktop\file.exe

Mutant created: \Sessions\1\BaseNamedObjects\3cfd95dc99d265fdd974

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD31F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AD31F2

Source: C:\Windows\notepad.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\notepad.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe

Static file information: File size 1952768 > 1048576

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x113800

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: file.exe, 00000000.00000002.279190942.0000000005090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.278986654.0000000004F00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file.exe, 00000000.00000002.279190942.0000000005090000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.278986654.0000000004F00000.00000004.00001000.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5220000.5.unpack

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AF7795 push ecx; ret

0_2_00AF77A8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B113A6 LoadLibraryA,GetProcAddress,

0_2_00B113A6

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\zmWLVbyRgm\lsas.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\zmWLVbyRgm\lsas.exe

Jump to dropped file

Boot Survival

Monitors registry run keys for changes

Source: C:\Users\user\Desktop\file.exe

Registry key monitored: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AeIdHFlbXA			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AeIdHFlbXA			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\file.exe

File opened: C:\ProgramData\zmWLVbyRgm\lsas.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AEF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AEF78E

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\notepad.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2996

Thread sleep time: -56000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.7 %

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AEE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEE47B

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AEDD92 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00AEDD92
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B22044
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B2219F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B1F350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1F350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B224A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B22044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B22044
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B2219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00B2219F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B224A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00B224A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B16B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	1_2_00B16B3F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00B16E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	1_2_00B16E4A

Source: notepad.exe, 0000000B.00000002.526814303.000002347C5E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000003.262666819.0000000000F59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}FiQ
Source: file.exe, 00000001.00000002.527597692.00000000018A1000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000000B.00000002.526814303.000002347C5E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.527597692.0000000001867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: file.exe, 00000000.00000003.262772757.0000000000F59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}FiQ

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AD374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,

0_2_00AD374E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B046D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00B046D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B113A6 LoadLibraryA,GetProcAddress,

0_2_00B113A6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B0B398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B0B398

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B2703C BlockInput,

1_2_00B2703C

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF8E19 SetUnhandledExceptionFilter,	0_2_00AF8E19
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00AF8E3C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00AF8E19 SetUnhandledExceptionFilter,	1_2_00AF8E19

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.195 5555	Jump to behavior
Source: C:\Windows\notepad.exe	Domain query: pool.supportxmr.com
Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.71 5555	Jump to behavior
Source: C:\Windows\notepad.exe	Network Connect: 141.94.96.144 5555	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 4B5000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 510000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 39D7915010	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 400000	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\notepad.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Users\user\Desktop\file.exe base: 1480000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\notepad.exe base: 400000 value starts with: 4D5A			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\file.exe

Thread register set: target process: 7152

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00AEF78E

Source: C:\Users\user\Desktop\file.exe

0_2_00AD374E

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\notepad.exe C:\Windows\notepad.exe" -c "C:\ProgramData\zmWLVbyRgm\cfg			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00B0B398

Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, lsas.exe.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AF7254 cpuid

0_2_00AF7254

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AF40DA GetSystemTimeAsFileTime,__aulldiv,

0_2_00AF40DA

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B02C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00B02C3C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AEE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEE47B

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00B4C146 GetUserNameW,

1_2_00B4C146

Source: lsas.exe.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe, 00000000.00000003.275711108.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XPm
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Native API	1 Valid Accounts	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	12 Clipboard Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	512 Process Injection	11 Software Packing	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Valid Accounts	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	512 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Hidden Files and Directories	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	76%	ReversingLabs	Win32.Trojan.Generic
file.exe	71%	Virustotal		Browse
file.exe	100%	Avira	HEUR/AGEN.1319206

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\zmWLVbyRgm\lsas.exe	100%	Avira	HEUR/AGEN.1319206
C:\ProgramData\zmWLVbyRgm\lsas.exe	76%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\zmWLVbyRgm\lsas.exe	71%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.3.file.exe.4e14020.2.unpack	100%	Avira	HEUR/AGEN.1318476	Download File
0.2.file.exe.5220000.5.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.file.exe.ad0000.0.unpack	100%	Avira	HEUR/AGEN.1319206	Download File
1.0.file.exe.ad0000.0.unpack	100%	Avira	HEUR/AGEN.1319206	Download File
0.2.file.exe.ad0000.0.unpack	100%	Avira	HEUR/AGEN.1319206	Download File
1.2.file.exe.ad0000.0.unpack	100%	Avira	HEUR/AGEN.1319206	Download File
1.2.file.exe.1480000.2.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
0.2.file.exe.4e00000.1.unpack	100%	Avira	HEUR/AGEN.1300811	Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pool-fr.supportxmr.com	141.94.96.144	true	false		high
pool.supportxmr.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://149.210.249.142:11119/xmr/fsociety.txt	file.exe, 00000001.00000002.527597692.00000000018A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.527597692.0000000001867000.00000004.00000020.00020000.00000000.sdmp	false		high
http://149.210.249.142:11119/xmr/fsociety.txtx	file.exe, 00000001.00000002.527597692.0000000001867000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
141.94.96.195	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
149.210.249.142	unknown	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
141.94.96.71	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
141.94.96.144	pool-fr.supportxmr.com	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	861720
Start date and time:	2023-05-09 02:05:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.spyw.evad.mine.winEXE@5/5@13/4
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.5%) Quality average: 85.2% Quality standard deviation: 10.4%
HCA Information:	Successful, ratio: 85% Number of executed functions: 68 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target file.exe, PID 4788 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:06:34	API Interceptor	1x Sleep call for process: file.exe modified
02:07:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AeIdHFlbXA "C:\PROGRA~3\ZMWLVB~1\lsas.exe"
02:07:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AeIdHFlbXA "C:\PROGRA~3\ZMWLVB~1\lsas.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.94.96.195	WvWlWr2HC0.exe	Get hash	malicious	LoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRAT	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS, RedLine, Xmrig	Browse
	DHL ORIGINAL DOCUMENTS.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse
	SecuriteInfo.com.Trojan.Siggen19.4846.9932.10970.exe	Get hash	malicious	Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exe	Get hash	malicious	Eternity Stealer, Eternity Worm, Xmrig	Browse
141.94.96.71	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse
	target.ps1	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	PrivateLoader, RHADAMANTHYS, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pool-fr.supportxmr.com	GoogleUpdate.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	KMSPicoSetup.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	WvWlWr2HC0.exe	Get hash	malicious	LoaderBot, RedLine, SmokeLoader, Vidar, Xmrig, zgRAT	Browse	141.94.96.144
	spread.exe	Get hash	malicious	ETERNALBLUE, Xmrig	Browse	141.94.96.144
	target.ps1	Get hash	malicious	Xmrig	Browse	141.94.96.144
	Activator.exe	Get hash	malicious	Xmrig	Browse	141.94.96.144
	d.py	Get hash	malicious	PwnRig Miner	Browse	141.94.96.71
	file.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.195
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	PYnsVrS3EX.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	RHADAMANTHYS, RedLine, Xmrig	Browse	141.94.96.71
	DHL ORIGINAL DOCUMENTS.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.71
	DHL Original Documents.exe	Get hash	malicious	RHADAMANTHYS, Xmrig	Browse	141.94.96.144
	file.exe	Get hash	malicious	RHADAMANTHYS, Vidar, Xmrig	Browse	141.94.96.71
	file.exe	Get hash	malicious	PrivateLoader, RHADAMANTHYS, Xmrig	Browse	141.94.96.71
	4K3qxRG6WM.exe	Get hash	malicious	LoaderBot, Xmrig	Browse	141.94.96.71
	SecuriteInfo.com.Trojan.Siggen19.4846.9932.10970.exe	Get hash	malicious	Xmrig	Browse	141.94.96.195
	SecuriteInfo.com.Win32.PWSX-gen.2031.32670.exe	Get hash	malicious	Eternity Stealer, Eternity Worm, Xmrig	Browse	141.94.96.195
	xxx.elf	Get hash	malicious	Xmrig	Browse	141.94.96.195
	2WaHRYT3u5.exe	Get hash	malicious	Xmrig	Browse	141.94.96.71

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	29sbbAAUwY.elf	Get hash	malicious	Mirai	Browse	134.245.52.186
	2YVdesjGIA.elf	Get hash	malicious	Mirai	Browse	134.245.75.55
	u.elf	Get hash	malicious	Unknown	Browse	212.201.98.66
	https://clubpremier.page.link/?link=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx&apn=com.clubpremier.loyalty.android&afl=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx&isi=592240448&ibi=com.clubpremier.loyalty.iphone&ifl=https://member.clubpremier.com/check-unique-id/yLOGA98YuTQtOxWSQM8wmS7gfLsfgGJBTA6AdBfEllmkgsZydtl2UYCYbaMq4SwfQjIJa8CItWIZQcJVpQizGfG9JoGRCEVfHc6DAYUnIEIA1onWBzlAS1584StSCL5bUosLYxuK2Z8xE609YjzXKu18SnaFHBg5noPyyXcQG3igmrGL6RSUjR2J2yx2StcURSdE0XNuaerRvLokksyFwZNsTmO3aCEZ2AoJXQEVyVRiiLoBEBLm9KhlzGx9cKx	Get hash	malicious	Unknown	Browse	141.94.170.77
	http://webpich1ncha.vastserve.com/loig/?i=2	Get hash	malicious	Unknown	Browse	141.94.74.51
	DZAeTv0VWs.elf	Get hash	malicious	Mirai	Browse	149.220.194.191
	http://actualizaraqui3.byethost14.com/	Get hash	malicious	Unknown	Browse	141.94.74.51
	Cj1mRQdRCL.elf	Get hash	malicious	Mirai, Moobot	Browse	128.140.211.219
	PNUGTuZahh.elf	Get hash	malicious	Mirai, Moobot	Browse	141.76.161.1
	v63K1OYjob.elf	Get hash	malicious	Mirai	Browse	141.46.244.240
	https://opencaptchahere.top/ms/robot4/?c=b93ede38-67f7-42fa-b55a-532490cc1a3c&a=l118215	Get hash	malicious	GRQ Scam	Browse	141.95.108.246
	I9zGWtyw6R.elf	Get hash	malicious	Mirai	Browse	139.21.213.59
	picasa-3.9.141.303-installer_8atA-M1.exe	Get hash	malicious	Unknown	Browse	141.94.171.214
	picasa-3.9.141.303-installer_8atA-M1.exe	Get hash	malicious	Unknown	Browse	141.95.33.111
	wMy651RIIk.elf	Get hash	malicious	Moobot	Browse	141.75.107.247
	uUiFlCKiYP.elf	Get hash	malicious	Mirai, Moobot	Browse	141.74.3.135
	rFCWZi52k0.elf	Get hash	malicious	Moobot	Browse	141.71.172.233
	IyzGYbCJ9N.elf	Get hash	malicious	Moobot	Browse	139.13.211.117
	gOQlgvVx2H.elf	Get hash	malicious	Mirai, Moobot	Browse	141.43.251.214
	5dVvxyeGuG.elf	Get hash	malicious	Moobot	Browse	139.11.16.12

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\zmWLVbyRgm\cfg

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	579
Entropy (8bit):	5.252140941752997
Encrypted:	false
SSDEEP:	12:F8AUCiXTUaZWurqXlYP9VuW4LdqmZn96Wn8Xx8BBY:FAjhWu+XlhWGAUnwXKTY
MD5:	3D5F36DAB7B06C29E811D4D4C68728AA
SHA1:	B616EEC8F6FC9430CC324C5C45C7D2BACADEC99A
SHA-256:	838F78AF7DD0DBAA187C86326DAD0F66EE85AAE2206011661FAD3F4F992F5F33
SHA-512:	8571F1307C3658FFF3992D661878F81A0CE0355D1B0DFAEA7F293298420E6CE256B9E7C946BC29052889E2491615D2B1C1459B5499538C88FA5481542027E57D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\zmWLVbyRgm\cfg, Author: Joe Security
Reputation:	low
Preview:	{..."algo": "cryptonight",..."background": false,..."colors": true,..."retries": 5,..."retry-pause": 5,..."syslog": false,..."print-time": 60,..."av": 0,..."safe": false,..."cpu-priority": null,..."cpu-affinity": null,..."threads": 2,..."pools": [....{....."url": "pool.supportxmr.com:5555",....."user": "47G8kfJfMJnaKxtwF6yVP8GJvfcbGFGC7gqY77UA91JHdTu58ZgXe24YMFzB8KZyQyMk2GzgazQK8ioQZnXZcPZGEfdfFxX",....."pass": "XMRMiner3",....."keepalive": false,....."nicehash": false,....."variant": 1....}...],..."api": {...."port": 0,...."access-token": null,...."worker-id": null...}..}

C:\ProgramData\zmWLVbyRgm\cfgi

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	579
Entropy (8bit):	5.252140941752997
Encrypted:	false
SSDEEP:	12:F8AUCiXTUaZWurWfXlYP9VuW4LdqmZn96Wn8Xx8BBY:FAjhWukXlhWGAUnwXKTY
MD5:	4057028C4446432AD7FE852907898B97
SHA1:	CB9675193C26892323B9E2647B1484AB2CA8F64D
SHA-256:	6DE5711EB4129B458F02A2F99184D96B3F64633E05A07DB17D9B4F9C57770139
SHA-512:	F01A0414C3DE562117C6B781F9812CEC8ECB487B768AA724F8F3A4E83E5E83025173A59A7B6F7E81A96917B378CE8E7D37B1DE45513FA481B8F755A89610780F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\ProgramData\zmWLVbyRgm\cfgi, Author: Joe Security
Reputation:	low
Preview:	{..."algo": "cryptonight",..."background": false,..."colors": true,..."retries": 5,..."retry-pause": 5,..."syslog": false,..."print-time": 60,..."av": 0,..."safe": false,..."cpu-priority": null,..."cpu-affinity": null,..."threads": 4,..."pools": [....{....."url": "pool.supportxmr.com:5555",....."user": "47G8kfJfMJnaKxtwF6yVP8GJvfcbGFGC7gqY77UA91JHdTu58ZgXe24YMFzB8KZyQyMk2GzgazQK8ioQZnXZcPZGEfdfFxX",....."pass": "XMRMiner3",....."keepalive": false,....."nicehash": false,....."variant": 1....}...],..."api": {...."port": 0,...."access-token": null,...."worker-id": null...}..}

C:\ProgramData\zmWLVbyRgm\lsas.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1952768
Entropy (8bit):	7.590577277598473
Encrypted:	false
SSDEEP:	49152:Wkwkn9IMHeaA5bCshNwynVIQwMlw1yYtor6KadBaPCS:VdnV3AXVLwMlwJo2vGPC
MD5:	9B2514F290B0E5FE4CD2E6F1745EA188
SHA1:	5A4AB23846C5425ABBA98C24009C561A787DADFB
SHA-256:	C0243843AD83A16BC3C9FE59F8D530AEE08FBE163B45CF676C4327D1F2A0A6FB
SHA-512:	EDF2C8B0E06249AB7D331F5845DA6B6F0B7F28C8E3B10043B87AC7BF33D646A1A56A18C522B0B2F12BFD1A27392BEAA4C6D961FA0F2B7EDF2D93D9C2484FD990
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 71%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.............g.........$.............%....H......X.2........q)..Z..q).....q).......\....q).....Rich...........................PE..L...%..[.........."..................k............@..........................0......5.....@...@.......@.....................lk..\|....@...7...................... l..................................p'..@...............X............................text...t........................... ..`.rdata..j...........................@..@.data...4........b..................@....rsrc....7...@...8..................@..@.reloc..b............&..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autF235.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	991760
Entropy (8bit):	7.999820568418514
Encrypted:	true
SSDEEP:	12288:AGqEuNSOCyoI6FRjFBzgqsmcVgHSUXDCyqD3vGedbeaxvZ1eAa+eeONTSNje/x4v:vqpox5cxgHXDCySvbbv7e/TSNjepcSQ
MD5:	DB73D17CF5AC8224E84C338A712C196B
SHA1:	BB48F1E51D0A90F38980F93187FC2EE101F9A104
SHA-256:	E766A6F4DF21A4BCA990ECC69EF6619F177B2133F550B99AC4F4FDA4A5B01AD7
SHA-512:	32CA5A3E8CD463B76FA2DC00C1811D8791429D53F004E2A64060C7D2F1F6CB08A196235F225A665993E279F98E4381A93819F22B632F2C6F4C7F0CA48918612B
Malicious:	true
Reputation:	low
Preview:	.e...Y.t.@X..g5IN.&....S\O..t..n..#<.3.....v.u....cS.V3.......".:..;. .G........3.~...PT...#7".$.%...1.m`B.....~...PV.}9...j...g......$....R=]....>....W:%q.!EC.7...Pgw.).v.)...g...n6.....1...3..5r.w!.......`......bp.%.' .Dg.a..6O.6.piI.D'$.B.......gv.V......K.fx....J51AI_..C.W...g..<._.-kMnA.s...~....j.K..O.....(.P..nP.Pc..F....b..y.....3X...95..T...R5?.2.).U3.j.(.aQ...!#.)?1#.......!...A(O..../.G.Jq.].&..M......sX%J.S.M...:..1.?+L......[.@....b>'.X.x.....&.12p..BP..x,k..x.B.1..H.k.J`...-.)..E.u.v.t m.g.....K....r..A1.ok.I....#..4....$^...m...~..-M}L...Ox.]k.$.e^......ae.T......F.8]-C.$(...La:....WC._....(.....'.....l.......;.p.:.J..-W%F3(K...U....<....9yO.u..9].]&.e.k.`.2'!..-...Q....%...r.v...ZN/..O$....-d..dW.Ru........N........c.\|...g.....@st.L~....V.............3r".E..)....u....rg-..di..c(KJ...N80.1...Og'.ak..)R.+...i!../^......!.....M.Nu...O.?..K...v.p"..Vy*.K....y..c...r.4..l.(...\|PW...h?0y:....8...$6.oc...Ad=Z....A0.

C:\Users\user\AppData\Roaming\blsncxvoxmotpljzrxtwkmpap5606009.png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	991760
Entropy (8bit):	7.999820568418514
Encrypted:	true
SSDEEP:	12288:AGqEuNSOCyoI6FRjFBzgqsmcVgHSUXDCyqD3vGedbeaxvZ1eAa+eeONTSNje/x4v:vqpox5cxgHXDCySvbbv7e/TSNjepcSQ
MD5:	DB73D17CF5AC8224E84C338A712C196B
SHA1:	BB48F1E51D0A90F38980F93187FC2EE101F9A104
SHA-256:	E766A6F4DF21A4BCA990ECC69EF6619F177B2133F550B99AC4F4FDA4A5B01AD7
SHA-512:	32CA5A3E8CD463B76FA2DC00C1811D8791429D53F004E2A64060C7D2F1F6CB08A196235F225A665993E279F98E4381A93819F22B632F2C6F4C7F0CA48918612B
Malicious:	true
Reputation:	low
Preview:	.e...Y.t.@X..g5IN.&....S\O..t..n..#<.3.....v.u....cS.V3.......".:..;. .G........3.~...PT...#7".$.%...1.m`B.....~...PV.}9...j...g......$....R=]....>....W:%q.!EC.7...Pgw.).v.)...g...n6.....1...3..5r.w!.......`......bp.%.' .Dg.a..6O.6.piI.D'$.B.......gv.V......K.fx....J51AI_..C.W...g..<._.-kMnA.s...~....j.K..O.....(.P..nP.Pc..F....b..y.....3X...95..T...R5?.2.).U3.j.(.aQ...!#.)?1#.......!...A(O..../.G.Jq.].&..M......sX%J.S.M...:..1.?+L......[.@....b>'.X.x.....&.12p..BP..x,k..x.B.1..H.k.J`...-.)..E.u.v.t m.g.....K....r..A1.ok.I....#..4....$^...m...~..-M}L...Ox.]k.$.e^......ae.T......F.8]-C.$(...La:....WC._....(.....'.....l.......;.p.:.J..-W%F3(K...U....<....9yO.u..9].]&.e.k.`.2'!..-...Q....%...r.v...ZN/..O$....-d..dW.Ru........N........c.\|...g.....@st.L~....V.............3r".E..)....u....rg-..di..c(KJ...N80.1...Og'.ak..)R.+...i!../^......!.....M.Nu...O.?..K...v.p"..Vy*.K....y..c...r.4..l.(...\|PW...h?0y:....8...$6.oc...Ad=Z....A0.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.590577277598473
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1952768
MD5:	9b2514f290b0e5fe4cd2e6f1745ea188
SHA1:	5a4ab23846c5425abba98c24009c561a787dadfb
SHA256:	c0243843ad83a16bc3c9fe59f8d530aee08fbe163b45cf676c4327d1f2a0a6fb
SHA512:	edf2c8b0e06249ab7d331f5845da6b6f0b7f28c8e3b10043b87ac7bf33d646a1a56a18c522b0b2f12bfd1a27392beaa4c6d961fa0f2b7edf2d93d9c2484fd990
SSDEEP:	49152:Wkwkn9IMHeaA5bCshNwynVIQwMlw1yYtor6KadBaPCS:VdnV3AXVLwMlwJo2vGPC
TLSH:	8395F10263DDC3A4C7725273BA66BB01AEBF7C2506B1F49B2FD4053DE960162521EA73
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........

File Icon


Icon Hash:	aab2e3e39383aa00

Static PE Info

General

Entrypoint:	0x426bf7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B13EF25 [Sun Jun 3 13:37:41 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	bbac62fd99326ea68ec5a33b36925dd1

Entrypoint Preview

Instruction
call 00007F1590D34C4Ch
jmp 00007F1590D27B34h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1590D27CBAh
cmp edi, eax
jc 00007F1590D2801Eh
bt dword ptr [004C0158h], 01h
jnc 00007F1590D27CB9h
rep movsb
jmp 00007F1590D27FCCh
cmp ecx, 00000080h
jc 00007F1590D27E84h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1590D27CC0h
bt dword ptr [004BA370h], 01h
jc 00007F1590D28190h
bt dword ptr [004C0158h], 00000000h
jnc 00007F1590D27E5Dh
test edi, 00000003h
jne 00007F1590D27E6Eh
test esi, 00000003h
jne 00007F1590D27E4Dh
bt edi, 02h
jnc 00007F1590D27CBFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1590D27CC3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1590D27D15h

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2012 UPD4 build 61030
[RES] VS2012 UPD4 build 61030
[LNK] VS2012 UPD4 build 61030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6b6c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x113790	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d8000	0x6c20	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8d8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb2770	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8d000	0x858	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8be74	0x8c000	False	0.5690970284598215	data	6.681489717174931	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8d000	0x2c76a	0x2c800	False	0.33122476299157305	zlib compressed data	5.781163507108141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0x9f34	0x6200	False	0.1639030612244898	data	2.004392861291539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc4000	0x113790	0x113800	False	0.9770649600158802	data	7.982616801304808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1d8000	0xa462	0xa600	False	0.5080948795180723	data	5.238496692777452	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0xc45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain
RT_ICON	0xc48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain
RT_ICON	0xc49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain
RT_ICON	0xc5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain
RT_ICON	0xc6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain
RT_ICON	0xc6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain
RT_ICON	0xc8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain
RT_ICON	0xc9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain
RT_STRING	0xca148	0x594	data	English	Great Britain
RT_STRING	0xca6dc	0x68a	data	English	Great Britain
RT_STRING	0xcad68	0x490	data	English	Great Britain
RT_STRING	0xcb1f8	0x5fc	data	English	Great Britain
RT_STRING	0xcb7f4	0x65c	data	English	Great Britain
RT_STRING	0xcbe50	0x466	data	English	Great Britain
RT_STRING	0xcc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain
RT_RCDATA	0xcc410	0x10ae65	data
RT_GROUP_ICON	0x1d7278	0x76	data	English	Great Britain
RT_GROUP_ICON	0x1d72f0	0x14	data	English	Great Britain
RT_VERSION	0x1d7304	0xdc	data	English	Great Britain
RT_MANIFEST	0x1d73e0	0x3b0	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	UnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, CloseHandle, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, CreateThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetLastError, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, DuplicateHandle, GetCurrentProcess, EnterCriticalSection, GetCurrentThread, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, FindNextFileW, SetEnvironmentVariableA
USER32.dll	CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, AdjustWindowRectEx, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, UnregisterHotKey, SystemParametersInfoW, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, GetCursorPos, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, FindWindowW, CharLowerBuffW, GetWindowTextW
GDI32.dll	SetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHGetFolderPathW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 9, 2023 02:06:13.837521076 CEST	49698	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:16.845227003 CEST	49698	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:22.845700026 CEST	49698	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:34.963773966 CEST	49699	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:37.956392050 CEST	49699	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:43.972543955 CEST	49699	11119	192.168.2.3	149.210.249.142
May 9, 2023 02:06:56.531759024 CEST	49700	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:06:56.551359892 CEST	5555	49700	141.94.96.71	192.168.2.3
May 9, 2023 02:06:56.551651001 CEST	49700	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:06:56.552375078 CEST	49700	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:06:56.571836948 CEST	5555	49700	141.94.96.71	192.168.2.3
May 9, 2023 02:06:56.571885109 CEST	5555	49700	141.94.96.71	192.168.2.3
May 9, 2023 02:06:56.571903944 CEST	5555	49700	141.94.96.71	192.168.2.3
May 9, 2023 02:06:56.572024107 CEST	49700	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:06:56.575603008 CEST	49700	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:06:56.595177889 CEST	5555	49700	141.94.96.71	192.168.2.3
May 9, 2023 02:07:02.612353086 CEST	49701	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:02.632558107 CEST	5555	49701	141.94.96.71	192.168.2.3
May 9, 2023 02:07:02.632795095 CEST	49701	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:02.660639048 CEST	49701	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:02.680794001 CEST	5555	49701	141.94.96.71	192.168.2.3
May 9, 2023 02:07:02.680871010 CEST	5555	49701	141.94.96.71	192.168.2.3
May 9, 2023 02:07:02.680897951 CEST	5555	49701	141.94.96.71	192.168.2.3
May 9, 2023 02:07:02.680965900 CEST	49701	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:02.689275026 CEST	49701	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:02.710680008 CEST	5555	49701	141.94.96.71	192.168.2.3
May 9, 2023 02:07:08.206676006 CEST	49702	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:08.227186918 CEST	5555	49702	141.94.96.195	192.168.2.3
May 9, 2023 02:07:08.227299929 CEST	49702	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:08.227837086 CEST	49702	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:08.247582912 CEST	5555	49702	141.94.96.195	192.168.2.3
May 9, 2023 02:07:08.247637987 CEST	5555	49702	141.94.96.195	192.168.2.3
May 9, 2023 02:07:08.247688055 CEST	5555	49702	141.94.96.195	192.168.2.3
May 9, 2023 02:07:08.247765064 CEST	49702	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:08.251662970 CEST	49702	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:08.271656036 CEST	5555	49702	141.94.96.195	192.168.2.3
May 9, 2023 02:07:14.278320074 CEST	49703	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:14.297800064 CEST	5555	49703	141.94.96.71	192.168.2.3
May 9, 2023 02:07:14.298754930 CEST	49703	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:14.308268070 CEST	49703	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:14.327934027 CEST	5555	49703	141.94.96.71	192.168.2.3
May 9, 2023 02:07:14.328010082 CEST	5555	49703	141.94.96.71	192.168.2.3
May 9, 2023 02:07:14.328031063 CEST	5555	49703	141.94.96.71	192.168.2.3
May 9, 2023 02:07:14.328131914 CEST	49703	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:14.334323883 CEST	49703	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:14.354664087 CEST	5555	49703	141.94.96.71	192.168.2.3
May 9, 2023 02:07:20.345391989 CEST	49704	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:20.365151882 CEST	5555	49704	141.94.96.195	192.168.2.3
May 9, 2023 02:07:20.365638018 CEST	49704	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:20.365691900 CEST	49704	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:20.385384083 CEST	5555	49704	141.94.96.195	192.168.2.3
May 9, 2023 02:07:20.385754108 CEST	5555	49704	141.94.96.195	192.168.2.3
May 9, 2023 02:07:20.385783911 CEST	5555	49704	141.94.96.195	192.168.2.3
May 9, 2023 02:07:20.385884047 CEST	49704	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:20.429852962 CEST	49704	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:20.449567080 CEST	5555	49704	141.94.96.195	192.168.2.3
May 9, 2023 02:07:25.561342001 CEST	49705	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:25.580845118 CEST	5555	49705	141.94.96.195	192.168.2.3
May 9, 2023 02:07:25.581618071 CEST	49705	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:25.581984997 CEST	49705	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:25.601430893 CEST	5555	49705	141.94.96.195	192.168.2.3
May 9, 2023 02:07:25.601531982 CEST	5555	49705	141.94.96.195	192.168.2.3
May 9, 2023 02:07:25.601552963 CEST	5555	49705	141.94.96.195	192.168.2.3
May 9, 2023 02:07:25.601676941 CEST	49705	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:25.606307983 CEST	49705	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:07:25.625803947 CEST	5555	49705	141.94.96.195	192.168.2.3
May 9, 2023 02:07:31.632464886 CEST	49706	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:31.651881933 CEST	5555	49706	141.94.96.144	192.168.2.3
May 9, 2023 02:07:31.652024031 CEST	49706	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:31.652424097 CEST	49706	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:31.671725035 CEST	5555	49706	141.94.96.144	192.168.2.3
May 9, 2023 02:07:31.671817064 CEST	5555	49706	141.94.96.144	192.168.2.3
May 9, 2023 02:07:31.671884060 CEST	5555	49706	141.94.96.144	192.168.2.3
May 9, 2023 02:07:31.671977997 CEST	49706	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:31.701327085 CEST	49706	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:31.720870018 CEST	5555	49706	141.94.96.144	192.168.2.3
May 9, 2023 02:07:37.626368046 CEST	49707	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:37.647516966 CEST	5555	49707	141.94.96.144	192.168.2.3
May 9, 2023 02:07:37.647612095 CEST	49707	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:37.648088932 CEST	49707	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:37.667855978 CEST	5555	49707	141.94.96.144	192.168.2.3
May 9, 2023 02:07:37.667903900 CEST	5555	49707	141.94.96.144	192.168.2.3
May 9, 2023 02:07:37.667916059 CEST	5555	49707	141.94.96.144	192.168.2.3
May 9, 2023 02:07:37.667978048 CEST	49707	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:37.672166109 CEST	49707	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:37.693109035 CEST	5555	49707	141.94.96.144	192.168.2.3
May 9, 2023 02:07:42.769364119 CEST	49708	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:42.789278030 CEST	5555	49708	141.94.96.71	192.168.2.3
May 9, 2023 02:07:42.789545059 CEST	49708	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:42.790469885 CEST	49708	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:42.810203075 CEST	5555	49708	141.94.96.71	192.168.2.3
May 9, 2023 02:07:42.810233116 CEST	5555	49708	141.94.96.71	192.168.2.3
May 9, 2023 02:07:42.810353994 CEST	5555	49708	141.94.96.71	192.168.2.3
May 9, 2023 02:07:42.810431957 CEST	49708	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:42.815592051 CEST	49708	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:42.835355043 CEST	5555	49708	141.94.96.71	192.168.2.3
May 9, 2023 02:07:48.859688997 CEST	49709	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:48.880590916 CEST	5555	49709	141.94.96.144	192.168.2.3
May 9, 2023 02:07:48.880819082 CEST	49709	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:48.881146908 CEST	49709	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:48.901546955 CEST	5555	49709	141.94.96.144	192.168.2.3
May 9, 2023 02:07:48.901585102 CEST	5555	49709	141.94.96.144	192.168.2.3
May 9, 2023 02:07:48.901607037 CEST	5555	49709	141.94.96.144	192.168.2.3
May 9, 2023 02:07:48.901683092 CEST	49709	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:48.905082941 CEST	49709	5555	192.168.2.3	141.94.96.144
May 9, 2023 02:07:48.925062895 CEST	5555	49709	141.94.96.144	192.168.2.3
May 9, 2023 02:07:54.880296946 CEST	49710	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:54.899866104 CEST	5555	49710	141.94.96.71	192.168.2.3
May 9, 2023 02:07:54.899986029 CEST	49710	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:54.900284052 CEST	49710	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:54.923783064 CEST	5555	49710	141.94.96.71	192.168.2.3
May 9, 2023 02:07:54.924118042 CEST	5555	49710	141.94.96.71	192.168.2.3
May 9, 2023 02:07:54.924213886 CEST	5555	49710	141.94.96.71	192.168.2.3
May 9, 2023 02:07:54.924274921 CEST	49710	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:54.929373980 CEST	49710	5555	192.168.2.3	141.94.96.71
May 9, 2023 02:07:54.948853016 CEST	5555	49710	141.94.96.71	192.168.2.3
May 9, 2023 02:08:00.360837936 CEST	49711	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:00.380754948 CEST	5555	49711	141.94.96.195	192.168.2.3
May 9, 2023 02:08:00.380862951 CEST	49711	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:00.381154060 CEST	49711	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:00.400903940 CEST	5555	49711	141.94.96.195	192.168.2.3
May 9, 2023 02:08:00.400949955 CEST	5555	49711	141.94.96.195	192.168.2.3
May 9, 2023 02:08:00.400974989 CEST	5555	49711	141.94.96.195	192.168.2.3
May 9, 2023 02:08:00.401110888 CEST	49711	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:00.409431934 CEST	49711	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:00.429344893 CEST	5555	49711	141.94.96.195	192.168.2.3
May 9, 2023 02:08:06.383009911 CEST	49712	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:06.402812958 CEST	5555	49712	141.94.96.195	192.168.2.3
May 9, 2023 02:08:06.405219078 CEST	49712	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:06.405584097 CEST	49712	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:06.425293922 CEST	5555	49712	141.94.96.195	192.168.2.3
May 9, 2023 02:08:06.425327063 CEST	5555	49712	141.94.96.195	192.168.2.3
May 9, 2023 02:08:06.425343990 CEST	5555	49712	141.94.96.195	192.168.2.3
May 9, 2023 02:08:06.425513029 CEST	49712	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:06.430969000 CEST	49712	5555	192.168.2.3	141.94.96.195
May 9, 2023 02:08:06.450774908 CEST	5555	49712	141.94.96.195	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 9, 2023 02:06:56.495421886 CEST	49977	53	192.168.2.3	8.8.8.8
May 9, 2023 02:06:56.522639036 CEST	53	49977	8.8.8.8	192.168.2.3
May 9, 2023 02:07:02.588311911 CEST	57840	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:02.608448029 CEST	53	57840	8.8.8.8	192.168.2.3
May 9, 2023 02:07:08.159780979 CEST	57990	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:08.195655107 CEST	53	57990	8.8.8.8	192.168.2.3
May 9, 2023 02:07:14.237000942 CEST	52387	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:14.272403955 CEST	53	52387	8.8.8.8	192.168.2.3
May 9, 2023 02:07:20.316302061 CEST	56924	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:20.343797922 CEST	53	56924	8.8.8.8	192.168.2.3
May 9, 2023 02:07:25.528371096 CEST	60625	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:25.554506063 CEST	53	60625	8.8.8.8	192.168.2.3
May 9, 2023 02:07:31.610723972 CEST	49302	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:31.630876064 CEST	53	49302	8.8.8.8	192.168.2.3
May 9, 2023 02:07:37.592055082 CEST	53975	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:37.621570110 CEST	53	53975	8.8.8.8	192.168.2.3
May 9, 2023 02:07:42.731934071 CEST	51139	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:42.762119055 CEST	53	51139	8.8.8.8	192.168.2.3
May 9, 2023 02:07:48.828202963 CEST	52955	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:48.857024908 CEST	53	52955	8.8.8.8	192.168.2.3
May 9, 2023 02:07:54.858325005 CEST	60582	53	192.168.2.3	8.8.8.8
May 9, 2023 02:07:54.878506899 CEST	53	60582	8.8.8.8	192.168.2.3
May 9, 2023 02:08:00.279237032 CEST	57134	53	192.168.2.3	8.8.8.8
May 9, 2023 02:08:00.299612999 CEST	53	57134	8.8.8.8	192.168.2.3
May 9, 2023 02:08:06.360290051 CEST	62050	53	192.168.2.3	8.8.8.8
May 9, 2023 02:08:06.380495071 CEST	53	62050	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 9, 2023 02:06:56.495421886 CEST	192.168.2.3	8.8.8.8	0xbdf6	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:02.588311911 CEST	192.168.2.3	8.8.8.8	0x1081	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:08.159780979 CEST	192.168.2.3	8.8.8.8	0xea57	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:14.237000942 CEST	192.168.2.3	8.8.8.8	0xca90	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:20.316302061 CEST	192.168.2.3	8.8.8.8	0xe862	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:25.528371096 CEST	192.168.2.3	8.8.8.8	0x34fe	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:31.610723972 CEST	192.168.2.3	8.8.8.8	0x4e02	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:37.592055082 CEST	192.168.2.3	8.8.8.8	0x6c76	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:42.731934071 CEST	192.168.2.3	8.8.8.8	0x7c1b	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:48.828202963 CEST	192.168.2.3	8.8.8.8	0xc3f5	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:54.858325005 CEST	192.168.2.3	8.8.8.8	0xc8a4	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:00.279237032 CEST	192.168.2.3	8.8.8.8	0xf52e	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:06.360290051 CEST	192.168.2.3	8.8.8.8	0xa1fb	Standard query (0)	pool.supportxmr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 9, 2023 02:06:56.522639036 CEST	8.8.8.8	192.168.2.3	0xbdf6	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:06:56.522639036 CEST	8.8.8.8	192.168.2.3	0xbdf6	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:06:56.522639036 CEST	8.8.8.8	192.168.2.3	0xbdf6	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:06:56.522639036 CEST	8.8.8.8	192.168.2.3	0xbdf6	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:02.608448029 CEST	8.8.8.8	192.168.2.3	0x1081	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:02.608448029 CEST	8.8.8.8	192.168.2.3	0x1081	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:02.608448029 CEST	8.8.8.8	192.168.2.3	0x1081	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:02.608448029 CEST	8.8.8.8	192.168.2.3	0x1081	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:08.195655107 CEST	8.8.8.8	192.168.2.3	0xea57	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:08.195655107 CEST	8.8.8.8	192.168.2.3	0xea57	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:08.195655107 CEST	8.8.8.8	192.168.2.3	0xea57	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:08.195655107 CEST	8.8.8.8	192.168.2.3	0xea57	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:14.272403955 CEST	8.8.8.8	192.168.2.3	0xca90	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:14.272403955 CEST	8.8.8.8	192.168.2.3	0xca90	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:14.272403955 CEST	8.8.8.8	192.168.2.3	0xca90	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:14.272403955 CEST	8.8.8.8	192.168.2.3	0xca90	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:20.343797922 CEST	8.8.8.8	192.168.2.3	0xe862	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:20.343797922 CEST	8.8.8.8	192.168.2.3	0xe862	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:20.343797922 CEST	8.8.8.8	192.168.2.3	0xe862	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:20.343797922 CEST	8.8.8.8	192.168.2.3	0xe862	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:25.554506063 CEST	8.8.8.8	192.168.2.3	0x34fe	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:25.554506063 CEST	8.8.8.8	192.168.2.3	0x34fe	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:25.554506063 CEST	8.8.8.8	192.168.2.3	0x34fe	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:25.554506063 CEST	8.8.8.8	192.168.2.3	0x34fe	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:31.630876064 CEST	8.8.8.8	192.168.2.3	0x4e02	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:31.630876064 CEST	8.8.8.8	192.168.2.3	0x4e02	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:31.630876064 CEST	8.8.8.8	192.168.2.3	0x4e02	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:31.630876064 CEST	8.8.8.8	192.168.2.3	0x4e02	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:37.621570110 CEST	8.8.8.8	192.168.2.3	0x6c76	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:37.621570110 CEST	8.8.8.8	192.168.2.3	0x6c76	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:37.621570110 CEST	8.8.8.8	192.168.2.3	0x6c76	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:37.621570110 CEST	8.8.8.8	192.168.2.3	0x6c76	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:42.762119055 CEST	8.8.8.8	192.168.2.3	0x7c1b	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:42.762119055 CEST	8.8.8.8	192.168.2.3	0x7c1b	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:42.762119055 CEST	8.8.8.8	192.168.2.3	0x7c1b	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:42.762119055 CEST	8.8.8.8	192.168.2.3	0x7c1b	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:48.857024908 CEST	8.8.8.8	192.168.2.3	0xc3f5	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:48.857024908 CEST	8.8.8.8	192.168.2.3	0xc3f5	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:48.857024908 CEST	8.8.8.8	192.168.2.3	0xc3f5	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:48.857024908 CEST	8.8.8.8	192.168.2.3	0xc3f5	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:54.878506899 CEST	8.8.8.8	192.168.2.3	0xc8a4	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:07:54.878506899 CEST	8.8.8.8	192.168.2.3	0xc8a4	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:54.878506899 CEST	8.8.8.8	192.168.2.3	0xc8a4	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:07:54.878506899 CEST	8.8.8.8	192.168.2.3	0xc8a4	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:00.299612999 CEST	8.8.8.8	192.168.2.3	0xf52e	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:08:00.299612999 CEST	8.8.8.8	192.168.2.3	0xf52e	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:00.299612999 CEST	8.8.8.8	192.168.2.3	0xf52e	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:00.299612999 CEST	8.8.8.8	192.168.2.3	0xf52e	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:06.380495071 CEST	8.8.8.8	192.168.2.3	0xa1fb	No error (0)	pool.supportxmr.com	pool-fr.supportxmr.com		CNAME (Canonical name)	IN (0x0001)	false
May 9, 2023 02:08:06.380495071 CEST	8.8.8.8	192.168.2.3	0xa1fb	No error (0)	pool-fr.supportxmr.com		141.94.96.71	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:06.380495071 CEST	8.8.8.8	192.168.2.3	0xa1fb	No error (0)	pool-fr.supportxmr.com		141.94.96.195	A (IP address)	IN (0x0001)	false
May 9, 2023 02:08:06.380495071 CEST	8.8.8.8	192.168.2.3	0xa1fb	No error (0)	pool-fr.supportxmr.com		141.94.96.144	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 3988, Parent PID: 3452

General

Target ID:	0
Start time:	02:06:08
Start date:	09/05/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xad0000
File size:	1952768 bytes
MD5 hash:	9B2514F290B0E5FE4CD2E6F1745EA188
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.267648050.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.267053269.0000000004CF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.270563383.0000000004FEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.266004196.0000000004DFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.270272153.0000000004F03000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.278820913.0000000004E01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.266165449.0000000004DFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.272024237.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.265865219.0000000004CF2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.267996427.0000000004E07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.266668654.0000000004BFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.276116511.00000000049FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.279512989.0000000005220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.268978093.0000000004F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.266256656.0000000004F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.272318820.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.266446164.0000000004DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.272576404.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000003.267449934.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.exePID: 4788, Parent PID: 3988

General

Target ID:	1
Start time:	02:06:12
Start date:	09/05/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xad0000
File size:	1952768 bytes
MD5 hash:	9B2514F290B0E5FE4CD2E6F1745EA188
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: PUA_WIN_XMRIG_CryptoCoin_Miner_Dec20, Description: Detects XMRIG crypto coin miners, Source: 00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000001.00000002.527184062.0000000001480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: notepad.exePID: 7152, Parent PID: 4788

General

Target ID:	11
Start time:	02:06:55
Start date:	09/05/2023
Path:	C:\Windows\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\notepad.exe" -c "C:\ProgramData\zmWLVbyRgm\cfg
Imagebase:	0x7ff799480000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.526929081.000002347DEC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.525895989.000000000050D000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000B.00000002.525895989.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 3988, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	1818
Total number of Limit Nodes:	51

Executed Functions

Function 00AFBDF6 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cacc13fb08116a4f5b8ca6fff7a176b6e55f49c53e2ccb4345fdf6bc4377bb2
Instruction ID: c236b23556c90d035ef391e3aa945d3fcf31f9c98c8c7af40a3dc140559f4dd9
Opcode Fuzzy Hash: 8cacc13fb08116a4f5b8ca6fff7a176b6e55f49c53e2ccb4345fdf6bc4377bb2
Instruction Fuzzy Hash: DB326D75A1222C8FDB24DF99DE806E9B7B5FB46360F0441D9E50AE7A81D7309E80CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00AD374E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 145windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00AD376D

Part of subcall function 00AD4257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104,?,00000000,00000001,00000000), ref: 00AD428C

IsDebuggerPresent.KERNEL32(?,?), ref: 00AD377F
GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\file.exe,00000104,?,00B91120,C:\Users\user\Desktop\file.exe,00B91124,?,?), ref: 00AD37EE

Part of subcall function 00AD34F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00AD352A

SetCurrentDirectoryW.KERNEL32(?), ref: 00AD3860
MessageBoxA.USER32 ref: 00B421C5
SetCurrentDirectoryW.KERNEL32(?,?), ref: 00B421FD
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00B42232
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B6DAA4), ref: 00B42290
ShellExecuteW.SHELL32(00000000), ref: 00B42297

Part of subcall function 00AD30A5: GetSysColorBrush.USER32(0000000F), ref: 00AD30B0
Part of subcall function 00AD30A5: LoadCursorW.USER32(00000000,00007F00), ref: 00AD30BF
Part of subcall function 00AD30A5: LoadIconW.USER32(00000063), ref: 00AD30D5
Part of subcall function 00AD30A5: LoadIconW.USER32(000000A4), ref: 00AD30E7
Part of subcall function 00AD30A5: LoadIconW.USER32(000000A2), ref: 00AD30F9
Part of subcall function 00AD30A5: RegisterClassExW.USER32 ref: 00AD3167

Part of subcall function 00AD2E9D: CreateWindowExW.USER32 ref: 00AD2ECB
Part of subcall function 00AD2E9D: CreateWindowExW.USER32 ref: 00AD2EEC
Part of subcall function 00AD2E9D: ShowWindow.USER32(00000000), ref: 00AD2F00
Part of subcall function 00AD2E9D: ShowWindow.USER32(00000000), ref: 00AD2F09

Part of subcall function 00AD3598: _memset.LIBCMT ref: 00AD35BE
Part of subcall function 00AD3598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AD3667

Strings

runas, xrefs: 00B4228B
C:\Users\user\Desktop\file.exe, xrefs: 00AD37B4, 00AD37E9, 00AD37FD, 00B42257
This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support., xrefs: 00B421BE

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
String ID: C:\Users\user\Desktop\file.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
API String ID: 4253510256-1803407802
Opcode ID: 20f9452d657339ce68e26bba01eec5e7a037673c0d5058b4b90d4e8f9e10d0aa
Instruction ID: 3ac0de043331ce13294204e773937872a8505b10cc91da4d0ccc821a6cca9276
Opcode Fuzzy Hash: 20f9452d657339ce68e26bba01eec5e7a037673c0d5058b4b90d4e8f9e10d0aa
Instruction Fuzzy Hash: 69513676A44245BBCF20ABB4DD46FAD3BB89B15700F0005E7F653A32A1DE704A45EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE47B Relevance: 10.7, APIs: 7, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00AEE4A7

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

GetCurrentProcess.KERNEL32(00000000,00B6DC28,?,?), ref: 00AEE567
GetNativeSystemInfo.KERNELBASE(?,00B6DC28,?,?), ref: 00AEE5BC
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEE5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEE5DA
GetSystemInfo.KERNEL32(?,00B6DC28,?,?), ref: 00AEE5E4
GetSystemInfo.KERNEL32(?,00B6DC28,?,?), ref: 00AEE5F0

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
String ID:
API String ID: 2717633055-0
Opcode ID: c1feb45b2ca9b5f2c3ef9076ebbff08b53156405601d44205c2357c43172662e
Instruction ID: ed26da4c0d7857fe44f88848090806614ca631c061776cb80b7a354ce7fa1cf6
Opcode Fuzzy Hash: c1feb45b2ca9b5f2c3ef9076ebbff08b53156405601d44205c2357c43172662e
Instruction Fuzzy Hash: 0261B0B180A3C4CFCF15CF6998C15E97FB4AF2A304F1949E9D8459B24BD634CA08DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00AD31F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AD3202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00AD3219
LoadResource.KERNEL32(?,00000000), ref: 00B457D7
SizeofResource.KERNEL32(?,00000000), ref: 00B457EC
LockResource.KERNEL32(?), ref: 00B457FF

Strings

SCRIPT, xrefs: 00AD320F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd06c6284fa1f0ea2982cd46eb510546e546468ea12570f3ccae72c1bf5e1a5c
Instruction ID: a3205e382e4190cb862e52833307396c8ba0e95916d112a1d546a1081c76b0fd
Opcode Fuzzy Hash: bd06c6284fa1f0ea2982cd46eb510546e546468ea12570f3ccae72c1bf5e1a5c
Instruction Fuzzy Hash: D4117C75600701BFEB218B65EC48F677BB9FBC9B42F1081A9B412872A0DB71DD00CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AE2B40 Relevance: 6.6, APIs: 2, Strings: 1, Instructions: 1382COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

_memmove.LIBCMT ref: 00AE2C63
_memmove.LIBCMT ref: 00AE303A

Strings

@, xrefs: 00AE34D4

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw_mallocstd::exception::exception
String ID: @
API String ID: 3956474712-2766056989
Opcode ID: e402a97021dfb76cf0876e74a98c136648cf1237be3c018b61b939d7d1a517f3
Instruction ID: 8d1544af73dff8eed5598956f276f3494685d91c0cfabe8b9eaa9585bde6aae8
Opcode Fuzzy Hash: e402a97021dfb76cf0876e74a98c136648cf1237be3c018b61b939d7d1a517f3
Instruction Fuzzy Hash: 3EC27A75A00245EFCF14DF99C884AAEB7B5FF48300F24809AE906AB351DB35EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AEDD92 Relevance: 4.5, APIs: 3, Instructions: 26fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00ADC848,00ADC848), ref: 00AEDDA2
FindFirstFileW.KERNELBASE(00ADC848,?), ref: 00B44A83

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: File$AttributesFindFirst
String ID:
API String ID: 4185537391-0
Opcode ID: aae9e75bbb00d42f062e5e38123b6748396d61276734ab304b85a3966d9057d4
Instruction ID: bad140ae9af1a4985b9be34029203f7aa14b0bc77ad8247329bf30c7e0123fcf
Opcode Fuzzy Hash: aae9e75bbb00d42f062e5e38123b6748396d61276734ab304b85a3966d9057d4
Instruction Fuzzy Hash: 6EE0D8314159415753246738DC4D9E93BACDA05339B100785F875D20E0EB709E5095E6

Uniqueness

Uniqueness Score: -1.00%

Function 00ADDCD0 Relevance: 3.5, APIs: 2, Instructions: 540COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab37a3cb5cf8011be1bcaae2a3127a454ce516a2d58bb7d4a3a8c4c8ac105ff4
Instruction ID: 9145ad2679155ba508ce4d6f70fe350fcba868c79e3bdd354015d438f23579ab
Opcode Fuzzy Hash: ab37a3cb5cf8011be1bcaae2a3127a454ce516a2d58bb7d4a3a8c4c8ac105ff4
Instruction Fuzzy Hash: A0228B71A0020A9FDB24DF58C490ABEB7F1FF18300F14816AE99B9B391D775A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE3680 Relevance: 2.5, APIs: 1, Instructions: 986COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 610d2700a4f7cae17c78df8e63d0d69c3f1319052b560097c513845f57f17271
Instruction ID: 49d954787c70a6f4f050188932d4977ae2d98eb1d2d6b38eee37cfd8b332bc96
Opcode Fuzzy Hash: 610d2700a4f7cae17c78df8e63d0d69c3f1319052b560097c513845f57f17271
Instruction Fuzzy Hash: F19298716082818FDB24DF19C584B2AB7F5FF88304F14889DE98A8B3A2D775ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8E19 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(?), ref: 00AF8E1F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c083f2091d8ebdae104b1d87627e74a6696296fc0a0a80a6b1e8f84813e26e1f
Instruction ID: bd2c25a96e3624da28f068b244cab017dc244e858892b6a2469b03b4c254d269
Opcode Fuzzy Hash: c083f2091d8ebdae104b1d87627e74a6696296fc0a0a80a6b1e8f84813e26e1f
Instruction Fuzzy Hash: 2CA0243000070CF7CF001F51FC044447F7CD7041517004050F40C41031CF73551045C5

Uniqueness

Uniqueness Score: -1.00%

Function 00ADE1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815
windowsleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00ADE1F0(struct HWND__* __ecx, struct HWND__* __fp0, signed int _a4) {
				struct tagMSG _v32;
				char _v40;
				char _v44;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v96;
				char _v100;
				int _v104;
				struct HWND__* _v108;
				struct HWND__* _v116;
				int _v120;
				struct HWND__* _v124;
				char _v128;
				struct HWND__* _v132;
				long _v136;
				char _v140;
				int* _v148;
				struct tagMSG _v172;
				struct HWND__* _v176;
				char _v177;
				long _v180;
				long _v184;
				struct HWND__* _v188;
				struct HWND__* _v196;
				char _v200;
				int _v204;
				int _v208;
				signed int _v212;
				struct HWND__* _v216;
				signed int _v220;
				signed int _v224;
				char _v228;
				long _v236;
				char _v237;
				char _v240;
				struct HWND__* _v244;
				char _v268;
				signed int __ebx;
				void* __edi;
				intOrPtr _t255;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr _t260;
				signed int _t266;
				signed int _t272;
				intOrPtr* _t274;
				short* _t279;
				int* _t280;
				signed int* _t281;
				struct HWND__* _t315;
				signed int _t324;
				signed int _t328;
				long _t333;
				void* _t334;
				void* _t336;
				int _t342;
				long _t343;
				int _t351;
				long _t352;
				void* _t364;
				void* _t365;
				signed int _t368;
				void* _t382;
				signed int _t383;
				short _t386;
				void* _t387;
				signed int _t390;
				signed int _t410;
				void* _t430;
				signed int _t436;
				void* _t438;
				struct HWND__** _t440;
				void* _t444;
				long _t467;
				void* _t475;
				signed int _t506;
				signed int _t507;
				signed int _t510;
				intOrPtr _t515;
				intOrPtr _t520;
				signed int _t523;
				signed int _t526;
				void* _t528;
				intOrPtr* _t529;
				signed int _t530;
				signed int _t531;
				int* _t532;
				signed int _t533;
				signed int* _t534;
				signed int _t536;
				void* _t538;
				void* _t575;

				_t585 = __fp0;
				_t538 = (_t536 & 0xfffffff8) - 0xec;
				_t438 = __ecx;
				_t255 =  *((intOrPtr*)(__ecx + 0xec));
				_v176 = __ecx;
				if(_t255 >= 0xf3c) {
					 *0xb910b6 = 0;
					_t257 = E00B1D520(__ecx, __fp0, 0x9a, 0xffffffff) | 0xffffffff;
					L56:
					return _t257;
				}
				_t258 = _t255 + 1;
				 *((intOrPtr*)(__ecx + 0xec)) = _t258;
				if(_t258 == 1) {
					L00AEECEE(__ecx, __eflags, __fp0);
				}
				 *((char*)(_t438 + 0x148)) = 0;
				if( *((char*)(_t438 + 0x100)) != 0) {
					L53:
					_t260 =  *((intOrPtr*)(_t438 + 0xec));
					 *((char*)(_t438 + 0x148)) = 0;
					if(_t260 == 1) {
						E00AD322E(_t438, __eflags);
						__eflags =  *((char*)(_t438 + 0x100)) - 1;
						if(__eflags == 0) {
							L55:
							_t257 = 0;
							goto L56;
						}
						L00AEEC33(_t438, __eflags, _t585);
						LockWindowUpdate(0);
						DestroyWindow( *0xb910e8); // executed
						_t266 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t266;
						if(_t266 <= 0) {
							goto L55;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t272 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t272;
						} while (_t272 > 0);
						goto L55;
					}
					 *((intOrPtr*)(_t438 + 0xec)) = _t260 - 1;
					goto L55;
				} else {
					while(1) {
						_t506 = 2;
						if( *((char*)(_t438 + 0x148)) != 0) {
							goto L53;
						}
						if( *0xb910b7 != 0) {
							__eflags =  *((char*)(_t438 + 0x149));
							if(__eflags == 0) {
								L11:
								if( *0xb91104 != 0) {
									_t274 =  *0xb91108; // 0x0
									_t520 =  *_t274;
									E00B1D869();
									_t507 =  *(_t438 + 0x1cc);
									_t514 = 0;
									__eflags = _t507;
									if(_t507 == 0) {
										L102:
										__eflags = _t514 - _t507;
										if(__eflags == 0) {
											_t506 = 2;
											goto L12;
										}
										_t430 = L00AECF79(_t438,  *((intOrPtr*)( *((intOrPtr*)( *(_t438 + 0x1c8) + _t514 * 4)))) + 8);
										E00ADC935(_t438 + 0x150,  *((intOrPtr*)( *((intOrPtr*)( *(_t438 + 0x1c8) + _t514 * 4)))) + 0x18);
										E00AD1000(_t438, _t585,  *((intOrPtr*)(_t430 + 0x10)) + 1, 1, 0);
										L51:
										L52:
										if( *((char*)(_t438 + 0x100)) == 0) {
											continue;
										}
										goto L53;
									}
									_t475 =  *(_t438 + 0x1c8);
									do {
										_t436 =  *( *_t475);
										__eflags = _t436;
										if(_t436 == 0) {
											goto L101;
										}
										__eflags =  *_t436 - _t520;
										if( *_t436 == _t520) {
											goto L102;
										}
										L101:
										_t514 = _t514 + 1;
										_t475 = _t475 + 4;
										__eflags = _t514 - _t507;
									} while (_t514 < _t507);
									goto L102;
								}
								L12:
								if( *0xb910c5 == 1) {
									__eflags =  *0xb910b7;
									if(__eflags != 0) {
										goto L13;
									}
									Sleep(0xa);
									goto L52;
								}
								L13:
								if( *((intOrPtr*)(_t438 + 0x480)) == 0 ||  *0xb92360 != 0) {
									L22:
									if( *0xb9181c == 0 ||  *((char*)(_t438 + 0x484)) == 1) {
										L32:
										_t444 = _t438;
										if(E00ADE7B0(_t444, _t506, _t585) == 1) {
											goto L51;
										}
										if( *0xb91990 != 0) {
											__eflags =  *((char*)(_t438 + 0x485)) - 1;
											if(__eflags == 0) {
												goto L34;
											}
											E00ADD3D2( &(_v172.message), __eflags);
											while(1) {
												_t410 = E00B156DC(0xb918f0,  &_v172);
												__eflags = _t410;
												if(_t410 == 0) {
													break;
												}
												__eflags = _v172.wParam;
												if(_v172.wParam == 0) {
													continue;
												}
												_t530 = L00AECF79(_t438,  &(_v172.message));
												__eflags = _t530;
												if(_t530 == 0) {
													continue;
												}
												_v116 = 0;
												_v108 = 0;
												_v104 = 1;
												E00AE2570( &_v116);
												_v104 = 1;
												_v116 = _v172.hwnd;
												E00ADCAEE(_t438,  &_v80, __eflags, L"@TRAY_ID");
												E00ADD380( &_v84,  &_v120, 1, 2);
												E00AD5CD3( &_v100);
												 *((char*)(_t438 + 0x485)) = 1;
												E00AD1000(_t438, _t585,  *((intOrPtr*)(_t530 + 0x10)) + 1, 1, 0);
												 *((char*)(_t438 + 0x485)) = 0;
												E00AE2570( &_v148);
												_t475 =  &_v204;
												E00B1542E(_t475);
												goto L51;
											}
											_t475 =  &(_v172.message);
											E00AD5CD3(_t475);
										}
										L34:
										_t342 =  *(_t438 + 0xfc);
										if(_t342 == 7) {
											_t343 = WaitForSingleObject( *(_t438 + 0x470), 0xa);
											_v136 = _t343;
											__eflags = _t343 - 0x102;
											if(__eflags == 0) {
												goto L51;
											}
											GetExitCodeProcess( *(_t438 + 0x470),  &_v136);
											CloseHandle( *(_t438 + 0x470));
											_v236 = _v136;
											L130:
											_push(_t444);
											_t475 =  *((intOrPtr*)( *_t438 + 4)) + _t438;
											__eflags = _t475;
											L00AD2F0E(_t475,  &_v236);
											L131:
											 *((char*)(_t438 + 0x148)) = 1;
											 *(_t438 + 0xfc) = 0;
											goto L51;
										}
										if(_t342 == 8 || _t342 == 9) {
											Sleep(0xa);
											__eflags =  *(_t438 + 0x468);
											if( *(_t438 + 0x468) == 0) {
												L182:
												_t351 =  *(_t438 + 0xfc);
												_t523 = 0;
												_v237 = 0;
												_v236 = 0;
												__eflags = _t351 - 8;
												if(_t351 != 8) {
													__eflags = _t351 - 9;
													if(__eflags != 0) {
														goto L51;
													}
													L186:
													_t475 =  *(_t438 + 0x474);
													_t352 = 0xcccccccc;
													_v184 = 0xcccccccc;
													__eflags = _t475;
													if(_t475 == 0) {
														L190:
														__eflags =  *(_t438 + 0xfc) - 8;
														if( *(_t438 + 0xfc) != 8) {
															_t475 =  *((intOrPtr*)( *_t438 + 4)) + _t438;
															__eflags = _t475;
															L00AD7BA9(_t475, _t352, 0);
														} else {
															_v236 = _t523;
															asm("fild dword [esp+0x10]");
															__eflags = _t523;
															if(__eflags < 0) {
																_t585 = _t585 +  *0xb86568;
															}
															_push(_t475);
															_v236 = _t585;
															_t475 =  *((intOrPtr*)( *_t438 + 4)) + _t438;
															E00B2F5BC(_t475,  &_v236);
														}
														 *((char*)(_t438 + 0x148)) = 1;
														 *(_t438 + 0xfc) = 0;
														Sleep( *(_t438 + 0x314));
														goto L51;
													}
													GetExitCodeProcess(_t475,  &_v184);
													__eflags = _v184 - 0x103;
													if(_v184 != 0x103) {
														L189:
														CloseHandle( *(_t438 + 0x474));
														_t352 = _v184;
														 *(_t438 + 0x474) = 0;
														goto L190;
													}
													__eflags = WaitForSingleObject( *(_t438 + 0x474), 0);
													if(__eflags != 0) {
														goto L51;
													}
													goto L189;
												}
												_t475 =  *(_t438 + 0x458);
												L00B16F5B(_t475,  &_v236,  &_v237);
												_t538 = _t538 + 4;
												__eflags = _v237 - 1;
												if(__eflags != 0) {
													goto L51;
												}
												_t523 = _v236;
												goto L186;
											}
											_t475 =  *(_t438 + 0x46c);
											_t364 = E00AEE3A5(_t475);
											__eflags = _t506;
											if(__eflags < 0) {
												goto L182;
											}
											if(__eflags > 0) {
												L180:
												_t365 =  *(_t438 + 0x474);
												__eflags = _t365;
												if(_t365 != 0) {
													CloseHandle(_t365);
													 *(_t438 + 0x474) = 0;
												}
												_v236 = 0;
												goto L130;
											}
											__eflags = _t364 -  *(_t438 + 0x468);
											if(_t364 <  *(_t438 + 0x468)) {
												goto L182;
											}
											goto L180;
										} else {
											if(_t342 == 2 || _t342 == 3 || _t342 == 4 || _t342 == 5 || _t342 == 6) {
												Sleep(0xa);
												__eflags =  *(_t438 + 0x310);
												if( *(_t438 + 0x310) == 0) {
													L159:
													_t368 =  *(_t438 + 0xfc) + 0xfffffffd;
													__eflags = _t368 - 3;
													if(__eflags > 0) {
														goto L51;
													}
													switch( *((intOrPtr*)(_t368 * 4 +  &M00B4630B))) {
														case 0:
															__ecx = __ebx;
															__eax = L00AD1DCE(__ecx, __edx, __eflags, 1);
															goto L168;
														case 1:
															__ecx = __ebx;
															__eax = L00AD1DCE(__ecx, __edx, __eflags, 1);
															goto L164;
														case 2:
															_t475 = _t438;
															_t369 = L00B38A48(_t475, _t506, __eflags);
															L168:
															_t524 = _t369;
															__eflags = _t524;
															if(__eflags >= 0) {
																goto L170;
															}
															goto L169;
														case 3:
															__ecx = __ebx;
															__eax = L00B38A48(__ecx, __edx, __eflags);
															L164:
															__esi = __eax;
															__eflags = __eax;
															if(__eflags < 0) {
																L169:
																_t489 =  *((intOrPtr*)( *_t438 + 4)) + _t438;
																E00B1D7E4(_t489,  ~_t524, 0);
																_push(_t489);
																_v244 = 0;
																_t475 =  *((intOrPtr*)( *_t438 + 4)) + _t438;
																_t369 = L00AD2F0E(_t475,  &_v244);
																__eflags = _t524;
																L170:
																if(__eflags == 0) {
																	goto L51;
																}
																__eflags = _t524;
																if(_t524 <= 0) {
																	L175:
																	_t475 =  *(_t438 + 0x314);
																	 *((char*)(_t438 + 0x148)) = 1;
																	 *(_t438 + 0xfc) = 0;
																	E00B18355(_t369, _t475, _t585);
																	goto L51;
																}
																L172:
																_t369 =  *(_t438 + 0xfc);
																__eflags = _t369 - 5;
																if(_t369 == 5) {
																	L174:
																	_v132 = 0;
																	_v124 = 0;
																	_v120 = 1;
																	E00AE2570( &_v132);
																	_v120 = 7;
																	__eflags =  *((intOrPtr*)( *_t438 + 4)) + _t438;
																	_v132 =  *( *(_t438 + 0x1f8));
																	E00B2D12A(_t438,  *((intOrPtr*)( *_t438 + 4)) + _t438, _t506,  &_v132, 0);
																	_t369 = E00AE2570( &_v140);
																	goto L175;
																}
																__eflags = _t369 - 3;
																if(_t369 != 3) {
																	goto L175;
																}
																goto L174;
															}
															if(__eflags > 0) {
																goto L51;
															}
															goto L172;
													}
												}
												_t475 =  *(_t438 + 0x318);
												_t382 = E00AEE3A5(_t475);
												__eflags = _t506;
												if(__eflags < 0) {
													goto L159;
												}
												if(__eflags > 0) {
													L157:
													__eflags =  *(_t438 + 0xfc) - 2;
													if(__eflags == 0) {
														goto L131;
													}
													_v236 = 0;
													goto L130;
												}
												__eflags = _t382 -  *(_t438 + 0x310);
												if(_t382 <  *(_t438 + 0x310)) {
													goto L159;
												}
												goto L157;
											} else {
												_t383 = _a4;
												 *(_t438 + 0xf4) = _t383;
												_t526 = _t383;
												_a4 = _t383 + 1;
												_t575 = _t526 -  *0xb922f8; // 0x0
												if(_t575 > 0 || _t526 <= 0) {
													L152:
													 *(_t438 + 0xfc) = 1;
													goto L51;
												} else {
													_t528 = (_t526 << 4) +  *0xb9232c;
													if(_t528 == 0) {
														goto L152;
													}
													_v220 = 0;
													_v212 = 0;
													_v208 = 1;
													_t514 =  *( *(_t528 + 4));
													_v224 = 0;
													_t386 =  *((short*)( *( *(_t528 + 4)) + 8));
													if(_t386 != 0) {
														__eflags = _t386 - 0x33;
														if(_t386 != 0x33) {
															_t387 = _t386 - 1;
															__eflags = _t387 - 0x7e;
															if(__eflags > 0) {
																L135:
																_t390 = E00ADFA40(_t438, _t585, _t528,  &_v224,  &_v220, 0xffffffff);
																L72:
																__eflags = _t390;
																if(__eflags < 0) {
																	L47:
																	_t529 = _v212;
																	if(_t529 != 0) {
																		 *( *(_t529 + 0xc)) =  *( *(_t529 + 0xc)) - 1;
																		__eflags =  *( *(_t529 + 0xc));
																		if( *( *(_t529 + 0xc)) == 0) {
																			L00AF017E( *_t529);
																			L00AF017E( *(_t529 + 0xc));
																			_t538 = _t538 + 8;
																		}
																		L00AF017E(_t529);
																		_t538 = _t538 + 4;
																		_v212 = 0;
																	}
																	_t510 = _v220;
																	_t475 = _v208;
																	L49:
																	if(_t475 >= 5) {
																		_t475 = _t475 + 0xfffffffb;
																		__eflags = _t475 - 0xa;
																		if(__eflags > 0) {
																			goto L50;
																		}
																		switch( *((intOrPtr*)(_t475 * 4 +  &M00B462DF))) {
																			case 0:
																				__ecx =  &_v220;
																				__eax = E00AEE3CC(__ecx, __edi);
																				goto L50;
																			case 1:
																				goto L50;
																			case 2:
																				__eflags = _t510;
																				if(__eflags != 0) {
																					_push(_t510);
																					__imp__#9();
																					L00AF017E(_v224);
																					_t538 = _t538 + 4;
																				}
																				goto L50;
																			case 3:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = L00B1AA9C(__ecx, __ecx);
																				}
																				goto L50;
																			case 4:
																				L00AF017E( *((intOrPtr*)(__edx + 4))) = L00AF017E(_v220);
																				goto L50;
																			case 5:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00B0A56F(__ecx, __ecx);
																				}
																				goto L50;
																			case 6:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00AD1926(__ecx, __ecx);
																				}
																				goto L50;
																			case 7:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00B0A599(__ecx, __ecx);
																				}
																				goto L50;
																		}
																	}
																	L50:
																	_v208 = 1;
																	_v220 = 0;
																	goto L51;
																}
																_t398 = ( *(_t528 + 4))[_v224];
																__eflags =  *((short*)(( *(_t528 + 4))[_v224] + 8)) - 0x7f;
																if(__eflags == 0) {
																	goto L47;
																}
																E00B1D520(_t438, _t585, 0x72,  *((short*)(_t398 + 0xa)));
																_t475 =  &_v228;
																E00AE4430(_t475);
																goto L51;
															}
															switch( *((intOrPtr*)(( *(_t387 + 0xade724) & 0x000000ff) * 4 +  &M00ADE710))) {
																case 0:
																	_t390 = E00AE44E0(_t438, _t585, 0, _t528,  &_v224,  &_v220); // executed
																	goto L72;
																case 1:
																	 &_v177 =  &_v220;
																	__eax =  &_v224;
																	__ecx = __ebx; // executed
																	__eax = E00AE3680(__ecx, __fp0, 0, __esi,  &_v224,  &_v220,  &_v177); // executed
																	goto L72;
																case 2:
																	__ecx = __ebx + 0x16c;
																	__ecx = L00B2EA97(__ebx + 0x16c);
																	__eax = L00B2CFF8(__eax, __eflags);
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx = __ebx + 0x16c;
																		_v236 = L00B2EA97(__ebx + 0x16c);
																		 &_v236 =  &_v224;
																		__ecx = __ebx;
																		__eax = E00B2E2FB(__ecx, __edx, __fp0, __esi,  &_v224,  &_v236);
																		goto L72;
																	}
																	__eax =  *((short*)(__edi + 0xa));
																	__ecx = __ebx;
																	__eax = E00B1D520(__ebx, __fp0, 0xa7,  *((short*)(__edi + 0xa)));
																	__ecx =  &_v228;
																	__eax = E00AE4430(__ecx);
																	goto L51;
																case 3:
																	goto L49;
																case 4:
																	goto L135;
															}
														}
														E00ADEA00(_t438, _t585, _t528); // executed
														goto L47;
													}
													E00ADE7E0(_t438, _t585, _t528,  &_a4); // executed
													goto L47;
												}
											}
										}
									} else {
										_t560 =  *0xb91848 - 1;
										if( *0xb91848 == 1) {
											goto L32;
										}
										_t20 = 8 * _t506;
										_t506 = 8 * _t506 >> 0x20;
										_v172.wParam = 0;
										_v172.lParam = 8;
										_t279 = E00AF010A(_t438,  ~(0 | _t560 > 0x00000000) | _t20, _t514, _t560,  ~(0 | _t560 > 0x00000000) | _t20);
										_v172.message = _t279;
										 *_t279 = 0;
										_t280 = E00AF010A(_t438, 0, _t514, _t560, 4);
										_t538 = _t538 + 8;
										if(_t280 == 0) {
											_t280 = 0;
										} else {
											 *_t280 = 1;
										}
										_v148 = _t280;
										while( *0xb9183c != 0) {
											_t281 =  *0xb91840; // 0x0
											_t531 =  *_t281;
											L00B38B20( &(_v172.wParam), _t531);
											E00B16417(0xb9183c);
											__eflags = _t531;
											if(_t531 != 0) {
												L00B38BA4(_t531, 0xb9183c);
											}
											__eflags = _v172.time;
											 *0xb92364 = 0;
											if(_v172.time == 0) {
												continue;
											} else {
												_t533 = L00AECF79(_t438,  &(_v172.lParam));
												__eflags = _t533;
												if(_t533 == 0) {
													continue;
												}
												_v196 = 0;
												_v188 = 0;
												_v184 = 1;
												E00AE2570( &_v196);
												_v184 = 1;
												_v196 = _v172.wParam;
												E00ADCAEE(_t438,  &_v40, __eflags, L"@GUI_CTRLID");
												E00ADD380( &_v44,  &_v200, 1, 2);
												E00AD5CD3( &_v60);
												E00AE2570( &_v216);
												_v204 = 7;
												_v216 = _v172.wParam;
												E00ADCAEE(_t438,  &_v76, __eflags, L"@GUI_WINHANDLE");
												E00ADD380( &_v80,  &_v220, 1, 2);
												E00AD5CD3( &_v96);
												E00AE2570( &_v236);
												_v224 = 7;
												_v236 = _v180;
												E00ADCAEE(_t438,  &_v128, __eflags, L"@GUI_CTRLHANDLE");
												E00ADD380( &_v132,  &_v240, 1, 2);
												E00AD5CD3( &_v148);
												 *((char*)(_t438 + 0x484)) = 1;
												E00AD1000(_t438, _t585,  *((intOrPtr*)(_t533 + 0x10)) + 1, 1, 0);
												 *((char*)(_t438 + 0x484)) = 0;
												E00AE2570( &_v268);
												E00B1542E( &_v236);
												goto L51;
											}
										}
										if( *0xb9181c == 0) {
											__eflags =  *0xb9197c;
											if( *0xb9197c != 0) {
												L118:
												Sleep(0xa);
												goto L30;
											}
											__eflags =  *0xb92364 - 0x64;
											if( *0xb92364 >= 0x64) {
												goto L118;
											}
											 *0xb92364 =  &( *0xb92364->i);
											Sleep(0);
										}
										L30:
										_t532 = _v148;
										 *_t532 =  *_t532 - 1;
										if( *_t532 == 0) {
											L00AF017E(_v172.lParam);
											L00AF017E(_t532);
											_t538 = _t538 + 8;
										}
										goto L32;
									}
								} else {
									_t534 =  *(_t438 + 0x478);
									 *0xb92360 = 1;
									_v224 = 0;
									_v236 = _t438 + 0x478;
									L16:
									L16:
									if(_t534 != 0) {
										goto L57;
									} else {
										_t440 = _v236;
										goto L18;
									}
									while(1) {
										L18:
										_t315 =  *_t440;
										while(1) {
											L19:
											_v236 = _t315;
											if(_t315 == 0) {
												break;
											}
											__eflags =  *((char*)(_t315->i + 0x11));
											if(__eflags != 0) {
												E00B1D8E9(_t440,  &_v236);
												L18:
												_t315 =  *_t440;
												continue;
											}
											_t315 =  *(_t315 + 4);
										}
										_t438 = _v176;
										 *0xb92360 = _t315;
										if(_v224 > _t315) {
											goto L51;
										}
										_t18 =  &(_t315->i); // 0x2
										_t506 = _t18;
										goto L22;
									}
									L57:
									_t514 =  *_t534;
									__eflags =  *((char*)(_t514 + 0x11));
									if(__eflags != 0) {
										L64:
										_t534 = _t534[1];
										goto L16;
									}
									_t515 =  *((intOrPtr*)(_t514 + 0x14));
									_t333 = timeGetTime();
									_t467 = _t333;
									_t334 = _t333 - _t515;
									__eflags = _t515 - 0x7fffffff;
									if(_t515 > 0x7fffffff) {
										__eflags = _t467 - 0x7fffffff;
										if(_t467 <= 0x7fffffff) {
											L61:
											_t514 =  *_t534;
											__eflags = 0;
											if(0 < 0) {
												goto L64;
											}
											if(0 > 0) {
												L88:
												_v224 =  &(_v224->i);
												 *((intOrPtr*)(_t514 + 0x14)) = timeGetTime();
												_t336 = L00AECF79(_t438,  *_t534);
												 *((char*)( *_t534 + 0x10)) = 1;
												_t475 = _t438;
												E00AD1000(_t475, _t585,  *((intOrPtr*)(_t336 + 0x10)) + 1, 1, 0);
												 *((char*)( *_t534 + 0x10)) = 0;
												_t534 = _t534[1];
												goto L16;
											}
											__eflags = _t334 -  *((intOrPtr*)(_t514 + 0x18));
											if(__eflags >= 0) {
												goto L88;
											}
											goto L64;
										}
										L60:
										asm("cdq");
										goto L61;
									}
									__eflags = _t467 - 0x7fffffff;
									if(_t467 > 0x7fffffff) {
										goto L61;
									}
									goto L60;
								}
							}
						}
						if( *0xb91848 != 0) {
							__eflags =  *(_t438 + 0xfc);
							if(__eflags == 0) {
								goto L11;
							}
						}
						if(PeekMessageW( &_v172, 0, 0, 0, 1) != 0) {
							while(1) {
								__eflags = _v172.message - 0x12;
								if(__eflags == 0) {
									break;
								}
								_t475 = 0xb91810;
								_t324 = E00AEF381(0xb91810,  &_v172);
								__eflags = _t324;
								if(_t324 == 0) {
									_t475 = 0xb91810;
									_t328 = L00AEED1A(0xb91810,  &_v172);
									__eflags = _t328;
									if(_t328 == 0) {
										TranslateMessage( &_v172);
										DispatchMessageW( &_v172); // executed
									}
								}
								__eflags = PeekMessageW( &_v172, 0, 0, 0, 1);
								if(__eflags == 0) {
									goto L8;
								} else {
									continue;
								}
							}
							 *((char*)(_t438 + 0x100)) = 1;
							 *(_t438 + 0xfc) = 1;
						}
						L8:
						if( *0xb910c0 == 1) {
							 *0xb910c5 = 0;
							 *0xb910c0 = 0;
							 *(_t438 + 0xfc) = 1;
						}
						if( *(_t438 + 0xfc) == 1) {
							_push(_t475);
							_v176 = 0;
							L00AD2F0E( *((intOrPtr*)( *_t438 + 4)) + _t438,  &_v176);
							goto L53;
						} else {
							_t506 = 2;
							goto L11;
						}
					}
					goto L53;
				}
			}

0x00ade1f0
0x00ade1f6
0x00ade1fd
0x00ade200
0x00ade207
0x00ade210
0x00b45a0e
0x00b45a1a
0x00ade506
0x00ade50c
0x00ade50c
0x00ade216
0x00ade217
0x00ade220
0x00ade670
0x00ade670
0x00ade22d
0x00ade234
0x00ade4e7
0x00ade4e7
0x00ade4ed
0x00ade4f7
0x00ade67c
0x00ade681
0x00ade688
0x00ade504
0x00ade504
0x00000000
0x00ade504
0x00ade690
0x00ade697
0x00ade6a3
0x00ade6bd
0x00ade6bf
0x00ade6c1
0x00000000
0x00000000
0x00b462a7
0x00b462af
0x00b462bd
0x00b462d1
0x00b462d3
0x00b462d3
0x00000000
0x00b462d7
0x00ade4fe
0x00000000
0x00ade23a
0x00ade240
0x00ade247
0x00ade24c
0x00000000
0x00000000
0x00ade259
0x00b45a22
0x00b45a29
0x00ade2a2
0x00ade2a9
0x00b45a79
0x00b45a7e
0x00b45a80
0x00b45a85
0x00b45a8b
0x00b45a8d
0x00b45a8f
0x00b45aab
0x00b45aab
0x00b45aad
0x00b45afc
0x00000000
0x00b45afc
0x00b45ac0
0x00b45adc
0x00b45aec
0x00ade4d4
0x00ade4da
0x00ade4e1
0x00000000
0x00000000
0x00000000
0x00ade4e1
0x00b45a91
0x00b45a97
0x00b45a99
0x00b45a9b
0x00b45a9d
0x00000000
0x00000000
0x00b45a9f
0x00b45aa1
0x00000000
0x00000000
0x00b45aa3
0x00b45aa3
0x00b45aa4
0x00b45aa7
0x00b45aa7
0x00000000
0x00b45a97
0x00ade2af
0x00ade2b6
0x00b45b06
0x00b45b0d
0x00000000
0x00000000
0x00b45b15
0x00000000
0x00b45b15
0x00ade2bc
0x00ade2c3
0x00ade324
0x00ade32b
0x00ade3d7
0x00ade3d7
0x00ade3e0
0x00000000
0x00000000
0x00ade3ed
0x00b45cf7
0x00b45cfe
0x00000000
0x00000000
0x00b45d08
0x00b45d0d
0x00b45d17
0x00b45d1c
0x00b45d1e
0x00000000
0x00000000
0x00b45d24
0x00b45d29
0x00000000
0x00000000
0x00b45d37
0x00b45d39
0x00b45d3b
0x00000000
0x00000000
0x00b45d44
0x00b45d4f
0x00b45d5a
0x00b45d65
0x00b45d7a
0x00b45d85
0x00b45d8c
0x00b45da5
0x00b45db1
0x00b45db6
0x00b45dc8
0x00b45dd4
0x00b45ddb
0x00b45de0
0x00b45de4
0x00000000
0x00b45de4
0x00b45dee
0x00b45df2
0x00b45df2
0x00ade3f3
0x00ade3f3
0x00ade3fc
0x00b45e04
0x00b45e0a
0x00b45e0e
0x00b45e13
0x00000000
0x00000000
0x00b45e24
0x00b45e30
0x00b45e3a
0x00b45e59
0x00b45e59
0x00b45e64
0x00b45e64
0x00b45e66
0x00b45e6b
0x00b45e6b
0x00b45e72
0x00000000
0x00b45e72
0x00ade405
0x00b46149
0x00b4614f
0x00b46156
0x00b46184
0x00b46184
0x00b4618a
0x00b4618c
0x00b46191
0x00b46195
0x00b46198
0x00b461c2
0x00b461c5
0x00000000
0x00000000
0x00b461cb
0x00b461cb
0x00b461d1
0x00b461d6
0x00b461da
0x00b461dc
0x00b46224
0x00b46224
0x00b4622b
0x00b4625f
0x00b4625f
0x00b46261
0x00b4622d
0x00b4622d
0x00b46231
0x00b46235
0x00b46237
0x00b46239
0x00b46239
0x00b4623f
0x00b46240
0x00b4624e
0x00b46250
0x00b46250
0x00b4626c
0x00b46273
0x00b4627d
0x00000000
0x00b4627d
0x00b461e4
0x00b461ea
0x00b461f2
0x00b4620a
0x00b46210
0x00b46216
0x00b4621a
0x00000000
0x00b4621a
0x00b46202
0x00b46204
0x00000000
0x00000000
0x00000000
0x00b46204
0x00b4619a
0x00b461a9
0x00b461ae
0x00b461b1
0x00b461b6
0x00000000
0x00000000
0x00b461bc
0x00000000
0x00b461bc
0x00b46158
0x00b4615e
0x00b46163
0x00b46165
0x00000000
0x00000000
0x00b46167
0x00b46171
0x00b46171
0x00b46177
0x00b46179
0x00b45e41
0x00b45e47
0x00b45e47
0x00b45e51
0x00000000
0x00b45e51
0x00b46169
0x00b4616f
0x00000000
0x00000000
0x00000000
0x00ade414
0x00ade417
0x00b45fed
0x00b45ff3
0x00b45ffa
0x00b4602f
0x00b46035
0x00b46038
0x00b4603b
0x00000000
0x00000000
0x00b46041
0x00000000
0x00b46073
0x00b46075
0x00000000
0x00000000
0x00b4605c
0x00b4605e
0x00000000
0x00000000
0x00b46048
0x00b4604a
0x00b4607a
0x00b4607a
0x00b4607c
0x00b4607e
0x00000000
0x00000000
0x00000000
0x00000000
0x00b46051
0x00b46053
0x00b46063
0x00b46063
0x00b46065
0x00b46067
0x00b46080
0x00b4608c
0x00b4608e
0x00b46093
0x00b4609b
0x00b460a6
0x00b460a8
0x00b460ad
0x00b460af
0x00b460af
0x00000000
0x00000000
0x00b460b5
0x00b460b7
0x00b46126
0x00b46126
0x00b4612c
0x00b46133
0x00b4613d
0x00000000
0x00b4613d
0x00b460b9
0x00b460b9
0x00b460bf
0x00b460c2
0x00b460c9
0x00b460d5
0x00b460dd
0x00b460e8
0x00b460f3
0x00b46101
0x00b4610f
0x00b46111
0x00b46118
0x00b46121
0x00000000
0x00b46121
0x00b460c4
0x00b460c7
0x00000000
0x00000000
0x00000000
0x00b460c7
0x00b46069
0x00000000
0x00000000
0x00000000
0x00000000
0x00b46041
0x00b45ffc
0x00b46002
0x00b46007
0x00b46009
0x00000000
0x00000000
0x00b4600b
0x00b46015
0x00b46015
0x00b4601c
0x00000000
0x00000000
0x00b46022
0x00000000
0x00b46022
0x00b4600d
0x00b46013
0x00000000
0x00000000
0x00000000
0x00ade441
0x00ade441
0x00ade444
0x00ade44a
0x00ade44d
0x00ade450
0x00ade456
0x00b45fdc
0x00b45fdc
0x00000000
0x00ade464
0x00ade467
0x00ade46d
0x00000000
0x00000000
0x00ade47d
0x00ade481
0x00ade485
0x00ade489
0x00ade48b
0x00ade48f
0x00ade495
0x00ade56c
0x00ade56f
0x00ade57e
0x00ade57f
0x00ade582
0x00b45edc
0x00b45eeb
0x00ade5aa
0x00ade5aa
0x00ade5ac
0x00ade4a7
0x00ade4a7
0x00ade4ad
0x00ade5ea
0x00ade5ef
0x00ade5f2
0x00b45f13
0x00b45f1e
0x00b45f23
0x00b45f23
0x00ade5f9
0x00ade5fe
0x00ade601
0x00ade601
0x00ade4b3
0x00ade4b7
0x00ade4bb
0x00ade4be
0x00b45f2b
0x00b45f2e
0x00b45f31
0x00000000
0x00000000
0x00b45f37
0x00000000
0x00b45f73
0x00b45f77
0x00000000
0x00000000
0x00000000
0x00000000
0x00b45f3e
0x00b45f40
0x00b45f46
0x00b45f47
0x00b45f51
0x00b45f56
0x00b45f56
0x00000000
0x00000000
0x00b45f5e
0x00b45f60
0x00b45f67
0x00b45f69
0x00b45f69
0x00000000
0x00000000
0x00b45f90
0x00000000
0x00000000
0x00b45f9d
0x00b45f9f
0x00b45fa6
0x00b45fa8
0x00b45fa8
0x00000000
0x00000000
0x00b45fc7
0x00b45fc9
0x00b45fd0
0x00b45fd2
0x00b45fd2
0x00000000
0x00000000
0x00b45fb2
0x00b45fb4
0x00b45fbb
0x00b45fbd
0x00b45fbd
0x00000000
0x00000000
0x00b45f37
0x00ade4c4
0x00ade4c4
0x00ade4cc
0x00000000
0x00ade4cc
0x00ade5b9
0x00ade5bc
0x00ade5c1
0x00000000
0x00000000
0x00b45efe
0x00b45f03
0x00b45f07
0x00000000
0x00b45f07
0x00ade58f
0x00000000
0x00ade5a5
0x00000000
0x00000000
0x00ade5d1
0x00ade5d6
0x00ade5de
0x00ade5e0
0x00000000
0x00000000
0x00b45e81
0x00b45e8c
0x00b45e8e
0x00b45e93
0x00b45e95
0x00b45eb6
0x00b45ec1
0x00b45eca
0x00b45ed0
0x00b45ed2
0x00000000
0x00b45ed2
0x00b45e97
0x00b45ea1
0x00b45ea3
0x00b45ea8
0x00b45eac
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ade58f
0x00ade574
0x00000000
0x00ade574
0x00ade4a2
0x00000000
0x00ade4a2
0x00ade456
0x00ade417
0x00ade33e
0x00ade33e
0x00ade345
0x00000000
0x00000000
0x00ade352
0x00ade352
0x00ade357
0x00ade35f
0x00ade36c
0x00ade378
0x00ade37c
0x00ade37f
0x00ade384
0x00ade389
0x00ade706
0x00ade38f
0x00ade38f
0x00ade38f
0x00ade395
0x00ade3a0
0x00b45b42
0x00b45b4b
0x00b45b4e
0x00b45b58
0x00b45b5d
0x00b45b5f
0x00b45b64
0x00b45b64
0x00b45b69
0x00b45b6e
0x00b45b78
0x00000000
0x00b45b7e
0x00b45b8a
0x00b45b8c
0x00b45b8e
0x00000000
0x00000000
0x00b45b98
0x00b45ba0
0x00b45ba8
0x00b45bb0
0x00b45bc5
0x00b45bcd
0x00b45bd1
0x00b45be7
0x00b45bf3
0x00b45bfc
0x00b45c11
0x00b45c19
0x00b45c1d
0x00b45c33
0x00b45c3f
0x00b45c48
0x00b45c5d
0x00b45c65
0x00b45c69
0x00b45c7f
0x00b45c8b
0x00b45c90
0x00b45ca2
0x00b45cab
0x00b45cb2
0x00b45cbb
0x00000000
0x00b45cbb
0x00b45b78
0x00ade3b4
0x00b45cc5
0x00b45ccc
0x00b45cea
0x00b45cec
0x00000000
0x00b45cec
0x00b45cce
0x00b45cd5
0x00000000
0x00000000
0x00b45cd7
0x00b45cdf
0x00b45cdf
0x00ade3ba
0x00ade3ba
0x00ade3be
0x00ade3c0
0x00ade3c6
0x00ade3cf
0x00ade3d4
0x00ade3d4
0x00000000
0x00ade3c0
0x00ade2ce
0x00ade2ce
0x00ade2da
0x00ade2e1
0x00ade2e9
0x00000000
0x00ade2f0
0x00ade2f2
0x00000000
0x00ade2f8
0x00ade2f8
0x00ade2f8
0x00ade2f8
0x00ade300
0x00ade300
0x00ade300
0x00ade302
0x00ade302
0x00ade302
0x00ade308
0x00000000
0x00000000
0x00ade55a
0x00ade55e
0x00b45b38
0x00ade300
0x00ade300
0x00000000
0x00ade300
0x00ade564
0x00ade564
0x00ade30e
0x00ade312
0x00ade31b
0x00000000
0x00000000
0x00ade321
0x00ade321
0x00000000
0x00ade321
0x00ade50f
0x00ade50f
0x00ade511
0x00ade515
0x00ade550
0x00ade550
0x00000000
0x00ade550
0x00ade517
0x00ade51a
0x00ade520
0x00ade522
0x00ade526
0x00ade52c
0x00b45b20
0x00b45b26
0x00ade53b
0x00ade53b
0x00ade53d
0x00ade53f
0x00000000
0x00000000
0x00ade541
0x00ade6cc
0x00ade6cc
0x00ade6d6
0x00ade6dd
0x00ade6e6
0x00ade6f1
0x00ade6f3
0x00ade6fa
0x00ade6fe
0x00000000
0x00ade6fe
0x00ade547
0x00ade54a
0x00000000
0x00000000
0x00000000
0x00ade54a
0x00ade53a
0x00ade53a
0x00000000
0x00ade53a
0x00ade532
0x00ade538
0x00000000
0x00000000
0x00000000
0x00ade538
0x00ade2c3
0x00b45a2f
0x00ade266
0x00b45a34
0x00b45a3b
0x00000000
0x00000000
0x00b45a41
0x00ade27d
0x00ade610
0x00ade610
0x00ade615
0x00000000
0x00000000
0x00ade620
0x00ade625
0x00ade62a
0x00ade62c
0x00ade633
0x00ade638
0x00ade63d
0x00ade63f
0x00ade646
0x00ade651
0x00ade651
0x00ade63f
0x00ade666
0x00ade668
0x00000000
0x00ade66e
0x00000000
0x00ade66e
0x00ade668
0x00b45a46
0x00b45a4d
0x00b45a4d
0x00ade283
0x00ade28a
0x00b45a5c
0x00b45a63
0x00b45a6a
0x00b45a6a
0x00ade297
0x00b46288
0x00b46290
0x00b4629d
0x00000000
0x00ade29d
0x00ade29d
0x00000000
0x00ade29d
0x00ade297
0x00000000
0x00ade240

APIs

PeekMessageW.USER32 ref: 00ADE279
timeGetTime.WINMM ref: 00ADE51A
TranslateMessage.USER32(?), ref: 00ADE646
DispatchMessageW.USER32 ref: 00ADE651
PeekMessageW.USER32 ref: 00ADE664
LockWindowUpdate.USER32(00000000), ref: 00ADE697
DestroyWindow.USER32 ref: 00ADE6A3
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ADE6BD
Sleep.KERNEL32(0000000A), ref: 00B45B15
TranslateMessage.USER32(?), ref: 00B462AF
DispatchMessageW.USER32 ref: 00B462BD
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B462D1

Strings

@TRAY_ID, xrefs: 00B45D6E
@GUI_WINHANDLE, xrefs: 00B45C05
@GUI_CTRLHANDLE, xrefs: 00B45C51
@GUI_CTRLID, xrefs: 00B45BB9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 2641332412-570651680
Opcode ID: 8368c2e4adbf045707f28ebfd62616939e2fade8f2365ba132d62d794f6cc72f
Instruction ID: 0a7ba1a988d6e2dfc4cc825ea7846cc6f88bf75fadfa09e4b2ed238f3cf66774
Opcode Fuzzy Hash: 8368c2e4adbf045707f28ebfd62616939e2fade8f2365ba132d62d794f6cc72f
Instruction Fuzzy Hash: 0A62D0705087409FDB20EF24C985BAA77E4BF45304F1449AEF94A8F392DBB1D948DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B06A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E00B06A28(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int _a24) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* __ebp;
				void* _t200;
				void* _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t213;
				signed int _t214;
				signed int _t223;
				signed int _t235;
				intOrPtr _t238;
				intOrPtr _t248;
				signed int _t250;
				signed int _t252;
				signed int _t254;
				void* _t259;
				signed int _t262;
				signed int _t264;
				void* _t267;
				signed int _t268;
				signed int* _t271;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t280;
				signed int _t282;
				signed int _t283;
				void* _t285;
				intOrPtr _t298;
				signed int _t305;
				signed int _t306;
				signed int* _t311;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				void* _t318;
				signed int* _t322;
				signed int _t325;
				signed int _t327;
				signed char _t329;
				signed char _t338;
				signed char _t344;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				void* _t370;
				signed int _t372;
				signed int _t373;
				signed int _t375;
				signed int _t376;
				signed int _t381;
				signed int _t383;
				signed int _t387;
				signed int* _t388;
				void* _t390;
				void* _t391;
				signed int _t394;
				signed int _t398;
				signed int _t401;
				signed int _t402;
				void* _t405;
				void* _t407;
				void* _t409;

				_t390 = __esi;
				_t386 = __edi;
				_push(__ebx);
				_t325 = 0;
				_push(__edi);
				_v36 = 0;
				_v6 = 0;
				_v60 = 0xc;
				_v56 = 0;
				if((_a16 & 0x00000080) == 0) {
					_v52 = 1;
					_v5 = 0;
				} else {
					_v52 = 0;
					_v5 = 0x10;
				}
				if(E00AF33CB( &_v36) != 0) {
					_push(_t325);
					_push(_t325);
					_push(_t325);
					_push(_t325);
					_push(_t325);
					L00AF7AB0(_t198, _t325, _t370);
					asm("int3");
					_push(1);
					_push(_v84);
					_push(_v68);
					_push(_v72);
					_push(_v76);
					_push(_v80);
					_t200 = E00B06961(_t325, _t386, _t390, __eflags); // executed
					return _t200;
				} else {
					_t329 = _a16;
					if((0x00008000 & _t329) == 0 && ((_t329 & 0x00074000) != 0 || _v36 != 0x8000)) {
						_v5 = _v5 | 0x00000080;
					}
					_t204 = (_t329 & 0x00000003) - _t325;
					if(_t204 == 0) {
						_t387 = 0x80000000;
						goto L18;
					} else {
						_t318 = _t204 - 1;
						if(_t318 == 0) {
							__eflags = _t329 & 0x00000008;
							if((_t329 & 0x00000008) == 0) {
								L16:
								_t387 = 0x40000000;
								goto L18;
							} else {
								__eflags = _t329 & 0x00070000;
								if((_t329 & 0x00070000) == 0) {
									goto L16;
								} else {
									_t387 = 0xc0000000;
									_v12 = 0xc0000000;
								}
							}
							goto L19;
						} else {
							_t418 = _t318 == 1;
							if(_t318 == 1) {
								_t387 = 0xc0000000;
								L18:
								_v12 = _t387;
								L19:
								_push(_t390);
								_t391 = 0x10;
								_t372 = 2;
								_v44 = _t372;
								_t206 = _a20 - _t391;
								__eflags = _t206;
								if(_t206 == 0) {
									_v16 = _t325;
									goto L29;
								} else {
									_t313 = _t206 - _t391;
									__eflags = _t313;
									if(_t313 == 0) {
										_v16 = 1;
										goto L29;
									} else {
										_t314 = _t313 - _t391;
										__eflags = _t314;
										if(_t314 == 0) {
											_v16 = _t372;
											goto L29;
										} else {
											_t315 = _t314 - _t391;
											__eflags = _t315;
											if(_t315 == 0) {
												_v16 = 3;
												goto L29;
											} else {
												_t316 = _t315 - 0x40;
												__eflags = _t316;
												if(__eflags != 0) {
													L42:
													 *(E00AF886A(__eflags)) = _t325;
													 *_a8 =  *_a8 | 0xffffffff;
													_t311 = E00AF889E(__eflags);
													_t325 = 0x16;
													 *_t311 = _t325;
													L00AF7AA0();
													goto L148;
												} else {
													__eflags = _t387 - 0x80000000;
													_v16 = _t316 & 0xffffff00 | _t387 == 0x80000000;
													L29:
													_t208 = _t329 & 0x00000700;
													__eflags = _t208 - 0x400;
													if(__eflags > 0) {
														__eflags = _t208 - 0x500;
														if(_t208 == 0x500) {
															L44:
															_t394 = 1;
															__eflags = 1;
															goto L45;
														} else {
															__eflags = _t208 - 0x600;
															if(_t208 == 0x600) {
																goto L43;
															} else {
																__eflags = _t208 - 0x700;
																if(__eflags == 0) {
																	goto L44;
																} else {
																	goto L42;
																}
															}
														}
													} else {
														if(__eflags == 0) {
															L37:
															_push(3);
															goto L38;
														} else {
															__eflags = _t208;
															if(_t208 == 0) {
																goto L37;
															} else {
																__eflags = _t208 - 0x100;
																if(_t208 == 0x100) {
																	_push(4);
																	goto L38;
																} else {
																	__eflags = _t208 - 0x200;
																	if(_t208 == 0x200) {
																		L43:
																		_push(5);
																		L38:
																		_pop(_t394);
																		goto L45;
																	} else {
																		__eflags = _t208 - 0x300;
																		if(__eflags != 0) {
																			goto L42;
																		} else {
																			_t394 = _t372;
																			L45:
																			_t373 = 0x80;
																			_t209 = _t325;
																			_v28 = 0x80;
																			_v20 = _t209;
																			__eflags = _t329 & 0x00000100;
																			if((_t329 & 0x00000100) != 0) {
																				_t306 =  *0xb90100; // 0x0
																				__eflags =  !_t306 & _a24;
																				_t209 = _t325;
																				if(( !_t306 & _a24) >= 0) {
																					_t373 = 1;
																					__eflags = 1;
																					_v28 = 1;
																				}
																			}
																			__eflags = _t329 & 0x00000040;
																			if((_t329 & 0x00000040) != 0) {
																				_t387 = _t387 | 0x00010000;
																				_t46 =  &_v16;
																				 *_t46 = _v16 | 0x00000004;
																				__eflags =  *_t46;
																				_t209 = 0x4000000;
																				_v20 = 0x4000000;
																				_v12 = _t387;
																			}
																			__eflags = _t329 & 0x00001000;
																			if((_t329 & 0x00001000) != 0) {
																				_t373 = _t373 | 0x00000100;
																				__eflags = _t373;
																				_v28 = _t373;
																			}
																			__eflags = _t329 & 0x00002000;
																			if((_t329 & 0x00002000) != 0) {
																				_t209 = _t209 | 0x02000000;
																				__eflags = _t209;
																				_v20 = _t209;
																			}
																			__eflags = _t329 & 0x00000020;
																			if(__eflags == 0) {
																				__eflags = _t329 & 0x00000010;
																				if(__eflags != 0) {
																					_t305 = _t209 | 0x10000000;
																					__eflags = _t305;
																					goto L58;
																				}
																			} else {
																				_t305 = _t209 | 0x08000000;
																				L58:
																				_v20 = _t305;
																			}
																			_t210 = E00AFB72C(_t325, _t329, _t373, _t387, _t394, __eflags);
																			_t388 = _a8;
																			 *_t388 = _t210;
																			__eflags = _t210 - 0xffffffff;
																			if(__eflags != 0) {
																				 *_a4 = 1;
																				_t213 = E00B068D0(__eflags, _a12, _v12, _v16,  &_v60, _t394, _v28, _v20); // executed
																				_t407 = _t405 + 0x1c;
																				_v32 = _t213;
																				__eflags = _t213 - 0xffffffff;
																				if(_t213 != 0xffffffff) {
																					L70:
																					_t214 = GetFileType(_t213); // executed
																					__eflags = _t214;
																					if(_t214 != 0) {
																						__eflags = _t214 - 2;
																						if(_t214 != 2) {
																							__eflags = _t214 - 3;
																							if(_t214 == 3) {
																								_t96 =  &_v5;
																								 *_t96 = _v5 | 0x00000008;
																								__eflags =  *_t96;
																							}
																						} else {
																							_v5 = _v5 | 0x00000040;
																						}
																						E00AFB9BE(_t394,  *_t388, _v32);
																						_t375 = _v5 | 0x00000001;
																						 *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 4) = _t375;
																						_v5 = _t375;
																						 *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 0x24) =  *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 0x24) & 0x00000080;
																						_t338 = _a16;
																						_t223 = _t375 & 0x00000048;
																						__eflags = _t223;
																						_v7 = _t223;
																						if(_t223 != 0) {
																							L88:
																							__eflags = _t375;
																							if(_t375 >= 0) {
																								goto L140;
																							} else {
																								__eflags = _t338 & 0x00074000;
																								if((_t338 & 0x00074000) == 0) {
																									_t279 = _v36 & 0x00074000;
																									__eflags = _t279;
																									if(_t279 != 0) {
																										_t338 = _t338 | _t279;
																										__eflags = _t338;
																									} else {
																										_t338 = _t338 | 0x00004000;
																									}
																									_a16 = _t338;
																								}
																								_t250 = _t338 & 0x00074000;
																								__eflags = _t250 - 0x4000;
																								if(_t250 == 0x4000) {
																									_v6 = _t325;
																								} else {
																									__eflags = _t250 - 0x10000;
																									if(_t250 == 0x10000) {
																										L102:
																										__eflags = (_t338 & 0x00000301) - 0x301;
																										if((_t338 & 0x00000301) == 0x301) {
																											goto L103;
																										}
																									} else {
																										__eflags = _t250 - 0x14000;
																										if(_t250 == 0x14000) {
																											goto L102;
																										} else {
																											__eflags = _t250 - 0x20000;
																											if(_t250 == 0x20000) {
																												L103:
																												_v6 = 2;
																											} else {
																												__eflags = _t250 - 0x24000;
																												if(_t250 == 0x24000) {
																													goto L103;
																												} else {
																													__eflags = _t250 - 0x40000;
																													if(_t250 == 0x40000) {
																														L101:
																														_v6 = 1;
																													} else {
																														__eflags = _t250 - 0x44000;
																														if(_t250 == 0x44000) {
																															goto L101;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								__eflags = _t338 & 0x00070000;
																								if((_t338 & 0x00070000) == 0) {
																									goto L140;
																								} else {
																									_v24 = _t325;
																									__eflags = _t375 & 0x00000040;
																									if((_t375 & 0x00000040) != 0) {
																										goto L140;
																									} else {
																										_t252 = _v12 & 0xc0000000;
																										__eflags = _t252 - 0x40000000;
																										if(_t252 == 0x40000000) {
																											__eflags = _t394;
																											if(_t394 == 0) {
																												goto L140;
																											} else {
																												_t357 = 2;
																												__eflags = _t394 - 0xc0000000;
																												if(_t394 <= 0xc0000000) {
																													goto L134;
																												} else {
																													__eflags = _t394 - 4;
																													if(__eflags > 0) {
																														goto L113;
																													} else {
																														_t262 = E00B005DF(_t357, __eflags,  *_t388, _t325, _t325, 0xc0000000);
																														_t407 = _t407 + 0x10;
																														__eflags = _t262 | _t375;
																														if(__eflags == 0) {
																															goto L133;
																														} else {
																															goto L131;
																														}
																													}
																												}
																											}
																										} else {
																											__eflags = _t252 - 0x80000000;
																											if(_t252 == 0x80000000) {
																												L117:
																												_push(3);
																												_push( &_v24);
																												_push( *_t388);
																												_t267 = L00AFFBBF();
																												_t407 = _t407 + 0xc;
																												__eflags = _t267 - 0xffffffff;
																												if(__eflags == 0) {
																													goto L82;
																												} else {
																													_t357 = _v24;
																													_t375 = 2;
																													__eflags = _t267 - _t375;
																													if(_t267 == _t375) {
																														L122:
																														_t357 = _t357 & 0x0000ffff;
																														__eflags = _t357 - 0xfffe;
																														if(__eflags != 0) {
																															__eflags = _t357 - 0xfeff;
																															if(__eflags != 0) {
																																goto L131;
																															} else {
																																_t268 = E00B005DF(_t357, __eflags,  *_t388, _t375, _t325, _t325);
																																_t407 = _t407 + 0x10;
																																__eflags = (_t268 & _t375) - 0xffffffff;
																																if(__eflags == 0) {
																																	goto L82;
																																} else {
																																	_v6 = 2;
																																	goto L140;
																																}
																															}
																														} else {
																															E00AFF84C(__eflags,  *_t388);
																															_t271 = E00AF889E(__eflags);
																															_t325 = 0x16;
																															 *_t271 = _t325;
																														}
																													} else {
																														__eflags = _t267 - 3;
																														if(__eflags != 0) {
																															L131:
																															_t264 = E00B005DF(_t357, __eflags,  *_t388, _t325, _t325, _t325);
																															_t407 = _t407 + 0x10;
																															__eflags = (_t264 & _t375) - 0xffffffff;
																															if(__eflags != 0) {
																																goto L140;
																															} else {
																																goto L82;
																															}
																														} else {
																															__eflags = _t357 - 0xbfbbef;
																															if(_t357 != 0xbfbbef) {
																																goto L122;
																															} else {
																																_v6 = 1;
																																goto L140;
																															}
																														}
																													}
																												}
																											} else {
																												__eflags = _t252 - 0xc0000000;
																												if(_t252 != 0xc0000000) {
																													goto L140;
																												} else {
																													__eflags = _t394;
																													if(_t394 == 0) {
																														goto L140;
																													} else {
																														_t357 = 2;
																														__eflags = _t394 - 0xc0000000;
																														if(_t394 <= 0xc0000000) {
																															L134:
																															_t401 = _t325;
																															_t254 = _v6 - 1;
																															__eflags = _t254;
																															if(__eflags == 0) {
																																_t357 = 3;
																																_v24 = 0xbfbbef;
																																_v44 = _t357;
																																goto L138;
																															} else {
																																__eflags = _t254 - 1;
																																if(__eflags != 0) {
																																	goto L140;
																																} else {
																																	_v24 = 0xfeff;
																																	while(1) {
																																		L138:
																																		_push(_t357 - _t401);
																																		_push( &_v24 + _t401);
																																		_push( *_t388);
																																		_t259 = E00AFBD14(_t325, _t357, _t388, _t401, __eflags);
																																		_t407 = _t407 + 0xc;
																																		__eflags = _t259 - 0xffffffff;
																																		if(__eflags == 0) {
																																			goto L82;
																																		}
																																		_t357 = _v44;
																																		_t401 = _t401 + _t259;
																																		__eflags = _t357 - _t401;
																																		if(__eflags > 0) {
																																			continue;
																																		} else {
																																			goto L140;
																																		}
																																		goto L148;
																																	}
																																	goto L82;
																																}
																															}
																														} else {
																															__eflags = _t394 - 4;
																															if(__eflags <= 0) {
																																_t272 = E00B005DF(_t357, __eflags,  *_t388, _t325, _t325, 0xc0000000);
																																_t407 = _t407 + 0x10;
																																__eflags = _t272 | _t375;
																																if(__eflags == 0) {
																																	L133:
																																	_t357 = 2;
																																	goto L134;
																																} else {
																																	_t274 = E00B005DF(_t357, __eflags,  *_t388, _t325, _t325, _t325);
																																	_t407 = _t407 + 0x10;
																																	__eflags = (_t274 & _t375) - 0xffffffff;
																																	if(__eflags == 0) {
																																		goto L82;
																																	} else {
																																		goto L117;
																																	}
																																}
																															} else {
																																L113:
																																__eflags = _t394 - 5;
																																if(_t394 == 5) {
																																	goto L134;
																																} else {
																																	goto L140;
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							__eflags = _t375;
																							if(_t375 >= 0) {
																								L140:
																								_t376 =  *_t388;
																								_t150 = ((_t376 & 0x0000001f) << 6) + 0x24; // 0x473ce8
																								 *( *((intOrPtr*)(0xb90940 + (_t376 >> 5) * 4)) + ((_t376 & 0x0000001f) << 6) + 0x24) =  *( *((intOrPtr*)(0xb90940 + (_t376 >> 5) * 4)) + ((_t376 & 0x0000001f) << 6) + 0x24) ^ ( *( *((intOrPtr*)(0xb90940 + (_t376 >> 5) * 4)) + _t150) ^ _v6) & 0x0000007f;
																								 *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 0x24) = _a16 >> 0x00000010 << 0x00000007 |  *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 0x24) & 0x0000007f;
																								_t344 = _a16;
																								__eflags = _v7 - _t325;
																								if(_v7 == _t325) {
																									__eflags = _t344 & 0x00000008;
																									if((_t344 & 0x00000008) != 0) {
																										_t353 =  *_t388;
																										_t248 =  *((intOrPtr*)(0xb90940 + (_t353 >> 5) * 4));
																										_t355 = (_t353 & 0x0000001f) << 6;
																										_t169 = _t248 + _t355 + 4;
																										 *_t169 =  *(_t248 + _t355 + 4) | 0x00000020;
																										__eflags =  *_t169;
																										_t344 = _a16;
																									}
																								}
																								_t398 = _v12;
																								__eflags = (_t398 & 0xc0000000) - 0xc0000000;
																								if((_t398 & 0xc0000000) == 0xc0000000) {
																									__eflags = _t344 & 0x00000001;
																									if(__eflags != 0) {
																										CloseHandle(_v32);
																										_t238 = E00B068D0(__eflags, _a12, _t398 & 0x7fffffff, _v16,  &_v60, 3, _v28, _v20);
																										__eflags = _t238 - 0xffffffff;
																										if(_t238 != 0xffffffff) {
																											_t381 =  *_t388;
																											_t383 = (_t381 & 0x0000001f) << 6;
																											__eflags = _t383;
																											 *((intOrPtr*)(_t383 +  *((intOrPtr*)(0xb90940 + (_t381 >> 5) * 4)))) = _t238;
																										} else {
																											E00AF887D(GetLastError());
																											 *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 4) =  *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 4) & 0x000000fe;
																											E00AFB8D1( *_t388);
																											goto L68;
																										}
																									}
																								}
																							} else {
																								__eflags = _t338 & 0x00000002;
																								if(__eflags == 0) {
																									goto L88;
																								} else {
																									_t280 = E00B005DF(_t338, __eflags,  *_t388, 0xffffffff, 0xffffffff, 2);
																									_t360 = _t280 & _t375;
																									_t407 = _t407 + 0x10;
																									_v48 = _t280;
																									_v24 = _t375;
																									__eflags = (_t280 & _t375) - 0xffffffff;
																									if(__eflags != 0) {
																										_push(1);
																										_push( &_v40);
																										_push( *_t388);
																										_v40 = _t325;
																										_t282 = L00AFFBBF();
																										_t409 = _t407 + 0xc;
																										__eflags = _t282;
																										if(__eflags != 0) {
																											L86:
																											_t283 = E00B005DF(_t360, __eflags,  *_t388, _t325, _t325, _t325);
																											_t407 = _t409 + 0x10;
																											__eflags = (_t283 & _t375) - 0xffffffff;
																											if(__eflags == 0) {
																												goto L82;
																											} else {
																												goto L87;
																											}
																										} else {
																											__eflags = _v40 - 0x1a;
																											if(__eflags != 0) {
																												goto L86;
																											} else {
																												_t285 = L00B07CF0(_t360, _t375, __eflags,  *_t388, _v48, _v24);
																												_t409 = _t409 + 0xc;
																												__eflags = _t285 - 0xffffffff;
																												if(__eflags == 0) {
																													goto L82;
																												} else {
																													goto L86;
																												}
																											}
																										}
																									} else {
																										__eflags =  *(E00AF886A(__eflags)) - 0x83;
																										if(__eflags == 0) {
																											L87:
																											_t375 = _v5;
																											_t338 = _a16;
																											goto L88;
																										} else {
																											L82:
																											E00AFF84C(__eflags,  *_t388);
																											goto L68;
																										}
																									}
																								}
																							}
																						}
																					} else {
																						 *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 4) =  *( *((intOrPtr*)(0xb90940 + ( *_t388 >> 5) * 4)) + (( *_t388 & 0x0000001f) << 6) + 4) & 0x000000fe;
																						_t402 = GetLastError();
																						E00AF887D(_t402);
																						CloseHandle(_v32);
																						__eflags = _t402;
																						if(__eflags == 0) {
																							 *(E00AF889E(__eflags)) = 0xd;
																						}
																						goto L69;
																					}
																				} else {
																					_t365 = _v12;
																					__eflags = (_t365 & 0xc0000000) - 0xc0000000;
																					if((_t365 & 0xc0000000) != 0xc0000000) {
																						L67:
																						_t366 =  *_t388;
																						_t298 =  *((intOrPtr*)(0xb90940 + (_t366 >> 5) * 4));
																						_t368 = (_t366 & 0x0000001f) << 6;
																						_t83 = _t298 + _t368 + 4;
																						 *_t83 =  *(_t298 + _t368 + 4) & 0x000000fe;
																						__eflags =  *_t83;
																						E00AF887D(GetLastError());
																						L68:
																						L69:
																						_t325 =  *(E00AF889E(__eflags));
																					} else {
																						__eflags = _a16 & 0x00000001;
																						if(__eflags == 0) {
																							goto L67;
																						} else {
																							_v12 = _t365 & 0x7fffffff;
																							_t213 = E00B068D0(__eflags, _a12, _t365 & 0x7fffffff, _v16,  &_v60, _t394, _v28, _v20);
																							_t407 = _t407 + 0x1c;
																							_v32 = _t213;
																							__eflags = _t213 - 0xffffffff;
																							if(_t213 != 0xffffffff) {
																								goto L70;
																							} else {
																								goto L67;
																							}
																						}
																					}
																				}
																				L148:
																				_t235 = _t325;
																			} else {
																				 *(E00AF886A(__eflags)) = _t325;
																				 *_t388 =  *_t388 | 0xffffffff;
																				__eflags =  *_t388;
																				 *(E00AF889E(__eflags)) = 0x18;
																				_t235 =  *(E00AF889E(__eflags));
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							} else {
								 *(E00AF886A(_t418)) = _t325;
								 *_a8 =  *_a8 | 0xffffffff;
								_t322 = E00AF889E(_t418);
								_t327 = 0x16;
								 *_t322 = _t327;
								L00AF7AA0();
								_t235 = _t327;
							}
						}
					}
					return _t235;
				}
			}

0x00b06a28
0x00b06a28
0x00b06a2e
0x00b06a2f
0x00b06a35
0x00b06a36
0x00b06a39
0x00b06a3c
0x00b06a43
0x00b06a46
0x00b06a51
0x00b06a58
0x00b06a48
0x00b06a48
0x00b06a4b
0x00b06a4b
0x00b06a67
0x00b0716e
0x00b0716f
0x00b07170
0x00b07171
0x00b07172
0x00b07173
0x00b07178
0x00b0717c
0x00b0717e
0x00b07181
0x00b07184
0x00b07187
0x00b0718a
0x00b0718d
0x00b07196
0x00b06a6d
0x00b06a6d
0x00b06a77
0x00b06a86
0x00b06a86
0x00b06a94
0x00b06a96
0x00b06ae0
0x00000000
0x00b06a98
0x00b06a98
0x00b06a99
0x00b06ac5
0x00b06ac8
0x00b06ad9
0x00b06ad9
0x00000000
0x00b06aca
0x00b06aca
0x00b06ad0
0x00000000
0x00b06ad2
0x00b06ad2
0x00b06ad4
0x00b06ad4
0x00b06ad0
0x00000000
0x00b06a9b
0x00b06a9b
0x00b06a9c
0x00b06ac1
0x00b06ae5
0x00b06ae5
0x00b06ae8
0x00b06aeb
0x00b06aee
0x00b06af1
0x00b06af2
0x00b06af5
0x00b06af5
0x00b06af7
0x00b06b2f
0x00000000
0x00b06af9
0x00b06af9
0x00b06af9
0x00b06afb
0x00b06b26
0x00000000
0x00b06afd
0x00b06afd
0x00b06afd
0x00b06aff
0x00b06b21
0x00000000
0x00b06b01
0x00b06b01
0x00b06b01
0x00b06b03
0x00b06b18
0x00000000
0x00b06b05
0x00b06b05
0x00b06b05
0x00b06b08
0x00b06b7f
0x00b06b84
0x00b06b89
0x00b06b8c
0x00b06b93
0x00b06b94
0x00b06b96
0x00000000
0x00b06b0a
0x00b06b0a
0x00b06b13
0x00b06b32
0x00b06b34
0x00b06b3e
0x00b06b40
0x00b06b6a
0x00b06b6f
0x00b06ba4
0x00b06ba6
0x00b06ba6
0x00000000
0x00b06b71
0x00b06b71
0x00b06b76
0x00000000
0x00b06b78
0x00b06b78
0x00b06b7d
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06b7d
0x00b06b76
0x00b06b42
0x00b06b42
0x00b06b65
0x00b06b65
0x00000000
0x00b06b44
0x00b06b44
0x00b06b46
0x00000000
0x00b06b48
0x00b06b48
0x00b06b4d
0x00b06b61
0x00000000
0x00b06b4f
0x00b06b4f
0x00b06b54
0x00b06ba0
0x00b06ba0
0x00b06b67
0x00b06b67
0x00000000
0x00b06b56
0x00b06b56
0x00b06b5b
0x00000000
0x00b06b5d
0x00b06b5d
0x00b06ba7
0x00b06ba7
0x00b06bac
0x00b06bae
0x00b06bb1
0x00b06bb4
0x00b06bba
0x00b06bbc
0x00b06bc6
0x00b06bc8
0x00b06bca
0x00b06bce
0x00b06bce
0x00b06bcf
0x00b06bcf
0x00b06bca
0x00b06bd2
0x00b06bd5
0x00b06bd7
0x00b06bdd
0x00b06bdd
0x00b06bdd
0x00b06be1
0x00b06be6
0x00b06be9
0x00b06be9
0x00b06bec
0x00b06bf2
0x00b06bf4
0x00b06bf4
0x00b06bfa
0x00b06bfa
0x00b06bfd
0x00b06c03
0x00b06c05
0x00b06c05
0x00b06c0a
0x00b06c0a
0x00b06c0d
0x00b06c10
0x00b06c19
0x00b06c1c
0x00b06c1e
0x00b06c1e
0x00000000
0x00b06c1e
0x00b06c12
0x00b06c12
0x00b06c23
0x00b06c23
0x00b06c23
0x00b06c26
0x00b06c2b
0x00b06c2e
0x00b06c30
0x00b06c33
0x00b06c5f
0x00b06c73
0x00b06c78
0x00b06c7b
0x00b06c7e
0x00b06c81
0x00b06cf6
0x00b06cf7
0x00b06cfd
0x00b06cff
0x00b06d43
0x00b06d46
0x00b06d4e
0x00b06d51
0x00b06d53
0x00b06d53
0x00b06d53
0x00b06d53
0x00b06d48
0x00b06d48
0x00b06d48
0x00b06d5c
0x00b06d7a
0x00b06d7d
0x00b06d95
0x00b06d98
0x00b06d9d
0x00b06da2
0x00b06da2
0x00b06da4
0x00b06da7
0x00b06e43
0x00b06e43
0x00b06e45
0x00000000
0x00b06e4b
0x00b06e4b
0x00b06e51
0x00b06e56
0x00b06e56
0x00b06e5b
0x00b06e65
0x00b06e65
0x00b06e5d
0x00b06e5d
0x00b06e5d
0x00b06e67
0x00b06e67
0x00b06e6c
0x00b06e71
0x00b06e76
0x00b06ebc
0x00b06e78
0x00b06e78
0x00b06e7d
0x00b06ea8
0x00b06eaf
0x00b06eb4
0x00000000
0x00000000
0x00b06e7f
0x00b06e7f
0x00b06e84
0x00000000
0x00b06e86
0x00b06e86
0x00b06e8b
0x00b06eb6
0x00b06eb6
0x00b06e8d
0x00b06e8d
0x00b06e92
0x00000000
0x00b06e94
0x00b06e94
0x00b06e99
0x00b06ea2
0x00b06ea2
0x00b06e9b
0x00b06e9b
0x00b06ea0
0x00000000
0x00000000
0x00b06ea0
0x00b06e99
0x00b06e92
0x00b06e8b
0x00b06e84
0x00b06e7d
0x00b06ebf
0x00b06ec5
0x00000000
0x00b06ecb
0x00b06ecb
0x00b06ece
0x00b06ed1
0x00000000
0x00b06ed7
0x00b06edf
0x00b06ee1
0x00b06ee6
0x00b06fd9
0x00b06fdb
0x00000000
0x00b06fe1
0x00b06fe3
0x00b06fe4
0x00b06fe6
0x00000000
0x00b06fe8
0x00b06fe8
0x00b06feb
0x00000000
0x00b06ff1
0x00b06ff6
0x00b06ffb
0x00b06ffe
0x00b07000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b07000
0x00b06feb
0x00b06fe6
0x00b06eec
0x00b06eec
0x00b06ef1
0x00b06f4e
0x00b06f4e
0x00b06f53
0x00b06f54
0x00b06f56
0x00b06f5b
0x00b06f5e
0x00b06f61
0x00000000
0x00b06f67
0x00b06f67
0x00b06f6c
0x00b06f6d
0x00b06f6f
0x00b06f8b
0x00b06f8b
0x00b06f91
0x00b06f97
0x00b06fb0
0x00b06fb6
0x00000000
0x00b06fb8
0x00b06fbd
0x00b06fc4
0x00b06fc7
0x00b06fca
0x00000000
0x00b06fd0
0x00b06fd0
0x00000000
0x00b06fd0
0x00b06fca
0x00b06f99
0x00b06f9b
0x00b06fa1
0x00b06fa8
0x00b06fa9
0x00b06fa9
0x00b06f71
0x00b06f71
0x00b06f74
0x00b07002
0x00b07007
0x00b0700e
0x00b07011
0x00b07014
0x00000000
0x00b07016
0x00000000
0x00b07016
0x00b06f7a
0x00b06f7a
0x00b06f80
0x00000000
0x00b06f82
0x00b06f82
0x00000000
0x00b06f82
0x00b06f80
0x00b06f74
0x00b06f6f
0x00b06ef3
0x00b06ef3
0x00b06ef5
0x00000000
0x00b06efb
0x00b06efb
0x00b06efd
0x00000000
0x00b06f03
0x00b06f05
0x00b06f06
0x00b06f08
0x00b0701e
0x00b07022
0x00b07024
0x00b07024
0x00b07025
0x00b07035
0x00b07036
0x00b0703d
0x00000000
0x00b07027
0x00b07027
0x00b07028
0x00000000
0x00b0702a
0x00b0702a
0x00b07040
0x00b07040
0x00b07044
0x00b0704a
0x00b0704b
0x00b0704d
0x00b07052
0x00b07055
0x00b07058
0x00000000
0x00000000
0x00b0705e
0x00b07061
0x00b07063
0x00b07065
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b07065
0x00000000
0x00b07040
0x00b07028
0x00b06f0e
0x00b06f0e
0x00b06f11
0x00b06f26
0x00b06f2b
0x00b06f2e
0x00b06f30
0x00b0701b
0x00b0701d
0x00000000
0x00b06f36
0x00b06f3b
0x00b06f42
0x00b06f45
0x00b06f48
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06f48
0x00b06f13
0x00b06f13
0x00b06f13
0x00b06f16
0x00000000
0x00b06f1c
0x00000000
0x00b06f1c
0x00b06f16
0x00b06f11
0x00b06f08
0x00b06efd
0x00b06ef5
0x00b06ef1
0x00b06ee6
0x00b06ed1
0x00b06ec5
0x00b06dad
0x00b06dad
0x00b06daf
0x00b07067
0x00b07067
0x00b0707b
0x00b07084
0x00b070ad
0x00b070b1
0x00b070b4
0x00b070b7
0x00b070b9
0x00b070bc
0x00b070be
0x00b070c8
0x00b070cf
0x00b070d2
0x00b070d2
0x00b070d2
0x00b070d7
0x00b070d7
0x00b070bc
0x00b070da
0x00b070e6
0x00b070e8
0x00b070ea
0x00b070ed
0x00b070f2
0x00b07111
0x00b07119
0x00b0711c
0x00b07150
0x00b07161
0x00b07161
0x00b07164
0x00b0711e
0x00b07125
0x00b0713e
0x00b07145
0x00000000
0x00b0714a
0x00b0711c
0x00b070ed
0x00b06db5
0x00b06db5
0x00b06db8
0x00000000
0x00b06dbe
0x00b06dc6
0x00b06dcd
0x00b06dcf
0x00b06dd2
0x00b06dd5
0x00b06dd8
0x00b06ddb
0x00b06df6
0x00b06dfb
0x00b06dfc
0x00b06dfe
0x00b06e01
0x00b06e06
0x00b06e09
0x00b06e0b
0x00b06e29
0x00b06e2e
0x00b06e35
0x00b06e38
0x00b06e3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06e0d
0x00b06e0d
0x00b06e12
0x00000000
0x00b06e14
0x00b06e1c
0x00b06e21
0x00b06e24
0x00b06e27
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06e27
0x00b06e12
0x00b06ddd
0x00b06de2
0x00b06de8
0x00b06e3d
0x00b06e3d
0x00b06e40
0x00000000
0x00b06dea
0x00b06dea
0x00b06dec
0x00000000
0x00b06dec
0x00b06de8
0x00b06ddb
0x00b06db8
0x00b06daf
0x00b06d01
0x00b06d15
0x00b06d20
0x00b06d23
0x00b06d2c
0x00b06d32
0x00b06d34
0x00b06d3b
0x00b06d3b
0x00000000
0x00b06d34
0x00b06c83
0x00b06c83
0x00b06c8f
0x00b06c91
0x00b06cc4
0x00b06cc4
0x00b06cce
0x00b06cd5
0x00b06cd8
0x00b06cd8
0x00b06cd8
0x00b06ce4
0x00b06ce9
0x00b06cea
0x00b06cef
0x00b06c93
0x00b06c93
0x00b06c97
0x00000000
0x00b06c99
0x00b06cad
0x00b06cb4
0x00b06cb9
0x00b06cbc
0x00b06cbf
0x00b06cc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00b06cc2
0x00b06c97
0x00b06c91
0x00b07167
0x00b07167
0x00b06c35
0x00b06c3a
0x00b06c3c
0x00b06c3c
0x00b06c44
0x00b06c4f
0x00b06c4f
0x00b06c33
0x00b06b5b
0x00b06b54
0x00b06b4d
0x00b06b46
0x00b06b42
0x00b06b40
0x00b06b08
0x00b06b03
0x00b06aff
0x00b06afb
0x00b06a9e
0x00b06aa3
0x00b06aa8
0x00b06aab
0x00b06ab2
0x00b06ab3
0x00b06ab5
0x00b06aba
0x00b06aba
0x00b06a9c
0x00b06a99
0x00b06c55
0x00b06c55

APIs

___createFile.LIBCMT ref: 00B06C73
___createFile.LIBCMT ref: 00B06CB4
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B06CDD
__dosmaperr.LIBCMT ref: 00B06CE4
GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00B06CF7
GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00B06D1A
__dosmaperr.LIBCMT ref: 00B06D23
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B06D2C
__set_osfhnd.LIBCMT ref: 00B06D5C
__lseeki64_nolock.LIBCMT ref: 00B06DC6
__close_nolock.LIBCMT ref: 00B06DEC
__chsize_nolock.LIBCMT ref: 00B06E1C
__lseeki64_nolock.LIBCMT ref: 00B06E2E
__lseeki64_nolock.LIBCMT ref: 00B06F26
__lseeki64_nolock.LIBCMT ref: 00B06F3B
__close_nolock.LIBCMT ref: 00B06F9B

Part of subcall function 00AFF84C: FindCloseChangeNotification.KERNELBASE(00000000,00B7EEC4,00000000,?,00B06DF1,00B7EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AFF89C
Part of subcall function 00AFF84C: GetLastError.KERNEL32(?,00B06DF1,00B7EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00AFF8A6
Part of subcall function 00AFF84C: __free_osfhnd.LIBCMT ref: 00AFF8B3
Part of subcall function 00AFF84C: __dosmaperr.LIBCMT ref: 00AFF8D5

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

__lseeki64_nolock.LIBCMT ref: 00B06FBD
CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00B070F2
___createFile.LIBCMT ref: 00B07111
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00B0711E
__dosmaperr.LIBCMT ref: 00B07125
__free_osfhnd.LIBCMT ref: 00B07145
__invoke_watson.LIBCMT ref: 00B07173
__wsopen_helper.LIBCMT ref: 00B0718D

Strings

@, xrefs: 00B06D48

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$Close___create$Handle__close_nolock__free_osfhnd$ChangeFindNotificationType__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
String ID: @
API String ID: 3388700018-2766056989
Opcode ID: a41d42c97c0e4aefe52d3b8bbaa67cf6975c1584b0d60cbb9008d37378809e40
Instruction ID: 7eb56b682adfb5d0f6bfb503197f2ad12338fa8414f5b90590b78ea41cf26d5a
Opcode Fuzzy Hash: a41d42c97c0e4aefe52d3b8bbaa67cf6975c1584b0d60cbb9008d37378809e40
Instruction Fuzzy Hash: 2E221571D0420A9FEB259F68DC927BE7FE1EB00364F2442A9E511EB2E1DB358D60C751

Uniqueness

Uniqueness Score: -1.00%

Function 00B201E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00B2026A
_wcschr.LIBCMT ref: 00B20278
_wcscpy.LIBCMT ref: 00B2028F
_wcscat.LIBCMT ref: 00B2029E
_wcscat.LIBCMT ref: 00B202BC
_wcscpy.LIBCMT ref: 00B202DD
__wsplitpath.LIBCMT ref: 00B203BA
_wcscpy.LIBCMT ref: 00B203DF
_wcscpy.LIBCMT ref: 00B203F1
_wcscpy.LIBCMT ref: 00B20406
_wcscat.LIBCMT ref: 00B2041B
_wcscat.LIBCMT ref: 00B2042D
_wcscat.LIBCMT ref: 00B20442

Part of subcall function 00B1C890: _wcscmp.LIBCMT ref: 00B1C92A
Part of subcall function 00B1C890: __wsplitpath.LIBCMT ref: 00B1C96F
Part of subcall function 00B1C890: _wcscpy.LIBCMT ref: 00B1C982
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C995
Part of subcall function 00B1C890: __wsplitpath.LIBCMT ref: 00B1C9BA
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C9D0
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B20235

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: c5c57537bc43277618a6b75a697db16abc365ec3c45f1c7f6ce5a486c2fdb3d1
Instruction ID: 45c90100494ee0d11de9180c0f47b628dbfe089de20aeb6a74ed012dedba6a6e
Opcode Fuzzy Hash: c5c57537bc43277618a6b75a697db16abc365ec3c45f1c7f6ce5a486c2fdb3d1
Instruction Fuzzy Hash: DC91B471504305AFCB20FB50DA95FAEB3E8EF48310F00489EF54997252EB74EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4257 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 235COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104,?,00000000,00000001,00000000), ref: 00AD428C

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00AF1BC7: __wcsicmp_l.LIBCMT ref: 00AF1C50

_wcscpy.LIBCMT ref: 00AD43C0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00B4214E

Strings

CMDLINE, xrefs: 00AD42DA, 00AD42DF, 00AD430D
CMDLINERAW, xrefs: 00AD42AD
/ErrorStdOut, xrefs: 00AD434B
/AutoIt3ExecuteLine, xrefs: 00AD4375
C:\Users\user\Desktop\file.exe, xrefs: 00AD4283, 00AD4288, 00AD4292, 00AD43BB, 00AD43D9, 00B4213B, 00B42192
/AutoIt3ExecuteScript, xrefs: 00AD438A
/AutoIt3OutputDebug, xrefs: 00AD4360

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\file.exe$CMDLINE$CMDLINERAW
API String ID: 861526374-3969133328
Opcode ID: 18c358b2e0ce6ac88a380c37e8bd3f64c692eb6855df2052bce6f66f6d8b1082
Instruction ID: a79b4f41f4944612b7a008b887699a1658c5d462b595f85e6337be76fef9f678
Opcode Fuzzy Hash: 18c358b2e0ce6ac88a380c37e8bd3f64c692eb6855df2052bce6f66f6d8b1082
Instruction Fuzzy Hash: F0816F7690011AABCB05EBE4CE52EEFB7B8AF04350F500017F542B7291EF706A45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2F58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD2F8B
RegisterClassExW.USER32 ref: 00AD2FB5
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2FC6
InitCommonControlsEx.COMCTL32(?), ref: 00AD2FE3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD2FF3
LoadIconW.USER32(000000A9), ref: 00AD3009
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD3018

Strings

+, xrefs: 00AD2F74
TaskbarCreated, xrefs: 00AD2FBB
AutoIt v3 GUI, xrefs: 00AD2FA7
0, xrefs: 00AD2F6D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 373ecb87932bd636da2216f1d487d6b5b95d1a7fb7cfa1487e00f19a8fd83c04
Instruction ID: 8d2d58ee3a6431af350c784eb1548fcdf2afb64c242faa9fbd4abfa86166c161
Opcode Fuzzy Hash: 373ecb87932bd636da2216f1d487d6b5b95d1a7fb7cfa1487e00f19a8fd83c04
Instruction Fuzzy Hash: 9021E3B5900309AFDB109FA8E989BCEBBF4FB08701F00465AF611A72A0DBB10544EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00B1C6A0: __time64.LIBCMT ref: 00B1C6AA

Part of subcall function 00AD41A7: _fseek.LIBCMT ref: 00AD41BF

__wsplitpath.LIBCMT ref: 00B1C96F

Part of subcall function 00AF297D: __wsplitpath_helper.LIBCMT ref: 00AF29BD

_wcscpy.LIBCMT ref: 00B1C982
_wcscat.LIBCMT ref: 00B1C995
__wsplitpath.LIBCMT ref: 00B1C9BA
_wcscat.LIBCMT ref: 00B1C9D0
_wcscat.LIBCMT ref: 00B1C9E3

Part of subcall function 00B1C6E4: _memmove.LIBCMT ref: 00B1C71D
Part of subcall function 00B1C6E4: _memmove.LIBCMT ref: 00B1C72C

_wcscmp.LIBCMT ref: 00B1C92A

Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF49
Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B1CB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1CC24
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1CC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1CC4B
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1CC5D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_malloc_wcscpy
String ID:
API String ID: 4129907686-0
Opcode ID: f87a0cea6671c2f4c41d81179cc0ab5d2e69e04962035b450177daca80695052
Instruction ID: dadd1694cb346d813f963741b83aafdfbdd0e773426bc955e8a27bbc16e3337e
Opcode Fuzzy Hash: f87a0cea6671c2f4c41d81179cc0ab5d2e69e04962035b450177daca80695052
Instruction Fuzzy Hash: A3C12DB190021DAACF11DFA5CC81EEEBBB9EF59310F4041E6F609E6151DB709A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00AEEA39
__wsplitpath.LIBCMT ref: 00AEEA56

Part of subcall function 00AF297D: __wsplitpath_helper.LIBCMT ref: 00AF29BD

_wcsncat.LIBCMT ref: 00AEEA69
__makepath.LIBCMT ref: 00AEEA85

Part of subcall function 00AF2BFF: __wmakepath_s.LIBCMT ref: 00AF2C13

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

_wcscpy.LIBCMT ref: 00AEEABE

Part of subcall function 00AEEB05: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AEEADA,?,?), ref: 00AEEB27

_wcscat.LIBCMT ref: 00B432FC
_wcscat.LIBCMT ref: 00B43334
_wcsncpy.LIBCMT ref: 00B43370

Strings

\, xrefs: 00B43321
Include, xrefs: 00AEEA63

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: Include$\
API String ID: 1742390404-3429789819
Opcode ID: 1ad817c0dc33991b0a0459217c6899f98cf987f550b68b341ba123e3f9214e40
Instruction ID: 41a3e6a5d8ed0f2239c1caa52432e222f1705c69b5171b7adeee1837d8b12cf8
Opcode Fuzzy Hash: 1ad817c0dc33991b0a0459217c6899f98cf987f550b68b341ba123e3f9214e40
Instruction Fuzzy Hash: AB5171B2809344BFC314EFA5EE85CA6B7E8FB49300B40492FF54583261DF749648CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00AD29C2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AD2A33
KillTimer.USER32(?,00000001), ref: 00AD2A5D
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AD2A80
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2A8B
CreatePopupMenu.USER32 ref: 00AD2A9F
PostQuitMessage.USER32(00000000), ref: 00AD2AAE

Strings

TaskbarCreated, xrefs: 00AD2A86

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 072e5882e56a5fef53dd391a378bf27f1fd6c10a4eda504f273a3dda69767465
Instruction ID: 7f80add611377f1c8126431742f55d6384738b495cfcd158136d1a810f791a01
Opcode Fuzzy Hash: 072e5882e56a5fef53dd391a378bf27f1fd6c10a4eda504f273a3dda69767465
Instruction Fuzzy Hash: 3A412531214246AFDB34AF689D09BBA36A5FB34380F4406A7F503933B1DE608D80F365

Uniqueness

Uniqueness Score: -1.00%

Function 00AD30A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD30B0
LoadCursorW.USER32(00000000,00007F00), ref: 00AD30BF
LoadIconW.USER32(00000063), ref: 00AD30D5
LoadIconW.USER32(000000A4), ref: 00AD30E7
LoadIconW.USER32(000000A2), ref: 00AD30F9

Part of subcall function 00AD318A: LoadImageW.USER32 ref: 00AD31AE

RegisterClassExW.USER32 ref: 00AD3167

Part of subcall function 00AD2F58: GetSysColorBrush.USER32(0000000F), ref: 00AD2F8B
Part of subcall function 00AD2F58: RegisterClassExW.USER32 ref: 00AD2FB5
Part of subcall function 00AD2F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2FC6
Part of subcall function 00AD2F58: InitCommonControlsEx.COMCTL32(?), ref: 00AD2FE3
Part of subcall function 00AD2F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD2FF3
Part of subcall function 00AD2F58: LoadIconW.USER32(000000A9), ref: 00AD3009
Part of subcall function 00AD2F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD3018

Strings

0, xrefs: 00AD3139
#, xrefs: 00AD3140
AutoIt v3, xrefs: 00AD3156

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b5793b630c0da59766e3a39c78d49bd2cab3c4e77c55c6f9a518379ac9246fff
Instruction ID: 8dffd57ad0236edec5604dc148a8623b7a1399961ad800e150c2eb1b8d9ae359
Opcode Fuzzy Hash: b5793b630c0da59766e3a39c78d49bd2cab3c4e77c55c6f9a518379ac9246fff
Instruction Fuzzy Hash: 49215EB0D04315ABCB11DFA9EE4AB99BFF5EB48310F008A2BE214A32A0DB754540DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00AD45A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AD45F0
CoUninitialize.OLE32(?,00000000), ref: 00AD4695
UnregisterHotKey.USER32(?), ref: 00AD47BD
DestroyWindow.USER32(?), ref: 00B45936
FreeLibrary.KERNEL32(?), ref: 00B4599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B459CA

Strings

close all, xrefs: 00AD45EB

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d3a29472b4a3d7f83eedd82c9041937e3b89be5e08c0621b7a8efa86601bbee1
Instruction ID: 31aba384e5e0a026e8dc6dbb8771c1bd5d6261470aff22e62f5c9b66077e3bdd
Opcode Fuzzy Hash: d3a29472b4a3d7f83eedd82c9041937e3b89be5e08c0621b7a8efa86601bbee1
Instruction Fuzzy Hash: 27910635610602CFC719EF24C995BA8F7B4FF19701F5442AAE44BA7262DB30AE66CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00AEEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AEEADA,?,?), ref: 00AEEB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00AEEADA,?,?), ref: 00B44B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00AEEADA,?,?), ref: 00B44B65
RegCloseKey.ADVAPI32(?,?,00AEEADA,?,?), ref: 00B44B94

Strings

Include, xrefs: 00B44B1E, 00B44B5D
Software\AutoIt v3\AutoIt, xrefs: 00AEEB1D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 9324eb0e67c07ec0d20956dbed4b210ee9fd2593ccdac3b96151d2298bb406fa
Instruction ID: f005c151e07c5d20479e149d15dbbfd3bbe8aa046a442d05496a85ced49ac575
Opcode Fuzzy Hash: 9324eb0e67c07ec0d20956dbed4b210ee9fd2593ccdac3b96151d2298bb406fa
Instruction Fuzzy Hash: 91113A71A00208BEEB149BA4CD96EBE77BCEB08754F100499F506E71A1EAB09E51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AD2ECB
CreateWindowExW.USER32 ref: 00AD2EEC
ShowWindow.USER32(00000000), ref: 00AD2F00
ShowWindow.USER32(00000000), ref: 00AD2F09

Strings

AutoIt v3, xrefs: 00AD2EC3, 00AD2EC8, 00AD2EC9
edit, xrefs: 00AD2EE6

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b8b133ecdac9494ac707c3af5700271d3134a07596c8d0fae7056d396a7b6ff0
Instruction ID: 6a4a2034902cda3b93d34b231da7c9da8c3e7637581f2aded4c4374e7e5986bc
Opcode Fuzzy Hash: b8b133ecdac9494ac707c3af5700271d3134a07596c8d0fae7056d396a7b6ff0
Instruction Fuzzy Hash: 3BF05471A402D17AD731976B6D0DE773E7ED7C6F10F01455FBA0893170C9660881EA70

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CC82 Relevance: 9.2, APIs: 6, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00AD41A7: _fseek.LIBCMT ref: 00AD41BF

Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF49
Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF5C

_malloc.LIBCMT ref: 00B1CD7D
_malloc.LIBCMT ref: 00B1CD87
_free.LIBCMT ref: 00B1CDC9
_free.LIBCMT ref: 00B1CDD0
_free.LIBCMT ref: 00B1CE3B

Part of subcall function 00AF28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28DE
Part of subcall function 00AF28CA: GetLastError.KERNEL32(00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28F0

_free.LIBCMT ref: 00B1CE43

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _free$_malloc_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 2231465579-0
Opcode ID: fbfbab9d6938923cc599f054cc8fa6200797277e53095d9ab741e9962b18b598
Instruction ID: bd1b91658868ae6670db94aa836bfa349f7a612c8327c0532fb2b7c4d15532cd
Opcode Fuzzy Hash: fbfbab9d6938923cc599f054cc8fa6200797277e53095d9ab741e9962b18b598
Instruction Fuzzy Hash: 6E514BB1904218AFDF149FA4DC81BAEBBB9EF48340F1040AEF659A3251D7715E808F69

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3DCB Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00AD3F9B: LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,00AD34E2,?,00000001), ref: 00AD3FCD

_free.LIBCMT ref: 00B43C27
_free.LIBCMT ref: 00B43C6E

Part of subcall function 00ADBDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,00B922E8,?,00000000,?,00AD3E2E,?,00000000,?,00B6DBF0,00000000,?), ref: 00ADBE8B
Part of subcall function 00ADBDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,00AD3E2E,?,00000000,?,00B6DBF0,00000000,?,00000002), ref: 00ADBEA7
Part of subcall function 00ADBDF0: __wsplitpath.LIBCMT ref: 00ADBF19
Part of subcall function 00ADBDF0: _wcscpy.LIBCMT ref: 00ADBF31
Part of subcall function 00ADBDF0: _wcscat.LIBCMT ref: 00ADBF46
Part of subcall function 00ADBDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 00ADBF56

Strings

Bad directive syntax error, xrefs: 00B43C54
>>>AUTOIT SCRIPT<<<, xrefs: 00B43A01

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 1510338132-1757145024
Opcode ID: 44d7a585b13257fdc4154550813881e90dd4738449b474d71052c92c83125c59
Instruction ID: b4022d403f828b75148e07c6f28fe228d5ce65ca0252468fc79b5a116657c207
Opcode Fuzzy Hash: 44d7a585b13257fdc4154550813881e90dd4738449b474d71052c92c83125c59
Instruction Fuzzy Hash: C1917E71A10219AFCF04EFA4CC919EEB7F4FF08710F5444AAF416AB291EB34AA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AF413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00AF418E

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00AF41C9
__wopenfile.LIBCMT ref: 00AF41D9

Strings

<G, xrefs: 00AF415D, 00AF4180, 00AF418C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 590a3ca58fbaa884516277bbda6e03b36d046e35adfa99b2efb708ea0398bf00
Instruction ID: 13de683c6facdd67d00b2e467852930c64c5e5e59417584282a7aefc74575260
Opcode Fuzzy Hash: 590a3ca58fbaa884516277bbda6e03b36d046e35adfa99b2efb708ea0398bf00
Instruction Fuzzy Hash: E811C67090020E9EEB10BFF48D426BF3BF4AF58790B148625BA15DB291EB74C99197A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AEC948,SwapMouseButtons,00000004,?), ref: 00AEC979
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00AEC948,SwapMouseButtons,00000004,?,?,?,?,00AEBF22), ref: 00AEC99A
RegCloseKey.KERNELBASE(00000000,?,?,00AEC948,SwapMouseButtons,00000004,?,?,?,?,00AEBF22), ref: 00AEC9BC

Strings

Control Panel\Mouse, xrefs: 00AEC977

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction ID: 485564f6dd774f7260532e8ef93315307d76a4832d3a9ad2f0d4029ca3a2d56d
Opcode Fuzzy Hash: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction Fuzzy Hash: ED117976611248BFDB218FA5DC44EAF7BB8EF04760F00456AA841E7211E631AE429B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AD131C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

Part of subcall function 00AD16F2: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AD14EB), ref: 00AD1751

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AD159B
CoInitialize.OLE32(00000000), ref: 00AD1612
CloseHandle.KERNEL32(00000000), ref: 00B458F7

Strings

pd, xrefs: 00AD14C5

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Handle$CloseInitializeMessageRegisterWindow
String ID: pd
API String ID: 3815369404-4287077725
Opcode ID: 5db0e690ea1e05975245b3f78d2a34f4b390656b98acf29184688c92d899d68a
Instruction ID: 6a6b3accd9f2dc8c15959f408f7aad9c59d75e8c1a806701410526c5f1fcf2fd
Opcode Fuzzy Hash: 5db0e690ea1e05975245b3f78d2a34f4b390656b98acf29184688c92d899d68a
Instruction Fuzzy Hash: EA71DBB59052439BC701DFAEAB90458BBE8FB5C3447954EAFD01A973A2CF344804EF66

Uniqueness

Uniqueness Score: -1.00%

Function 00AD1E58 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD1E87

Part of subcall function 00AD38E4: _memset.LIBCMT ref: 00AD3965
Part of subcall function 00AD38E4: _wcscpy.LIBCMT ref: 00AD39B5
Part of subcall function 00AD38E4: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AD39C6

KillTimer.USER32(?,00000001), ref: 00AD1EDC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AD1EEB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B44526

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 853367b6cb974166cd4f3d7f5812f06d7c6306282ca127f506c2627ff833afdb
Instruction ID: d7f73c672aaaf3c1f440cc5712d3c67d79c5e3c03c60467cb49e3033d19b5c6b
Opcode Fuzzy Hash: 853367b6cb974166cd4f3d7f5812f06d7c6306282ca127f506c2627ff833afdb
Instruction Fuzzy Hash: 7321F6B1904784AFEB328B248855BFBBBECDB12308F0404CEE69E97241CB745A84DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3BFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B43CF1
GetOpenFileNameW.COMDLG32(?,?,00000001,00B922E8), ref: 00B43D35

Part of subcall function 00AD31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00AD31DA

Part of subcall function 00AD3A67: SHGetMalloc.SHELL32(00AD3C31), ref: 00AD3A7D
Part of subcall function 00AD3A67: SHGetDesktopFolder.SHELL32(?), ref: 00AD3A8F
Part of subcall function 00AD3A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 00AD3AD2

Part of subcall function 00AD3B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,00B922E8,?), ref: 00AD3B65

Strings

X, xrefs: 00B43D01

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: NamePath$Full$DesktopFileFolderFromListMallocOpen_memset
String ID: X
API String ID: 3714316930-3081909835
Opcode ID: 1d0c532a9f77137a4cd6c9bbf8f31df4ff41c9aee6d61c41d95a45f5cff9b87c
Instruction ID: 29626bbbdef13fe2b0b0afa20de33097e7f500a476ab18905e18331fd7da3d52
Opcode Fuzzy Hash: 1d0c532a9f77137a4cd6c9bbf8f31df4ff41c9aee6d61c41d95a45f5cff9b87c
Instruction Fuzzy Hash: B811CA72A10288ABCF05EFD4D8456DE7BF9AF45B04F04400BE501BB341CBF54A49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B1D01E
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B1D035

Strings

aut, xrefs: 00B1D02F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: efec365556794e1e56770ac21e82bbca5cdd6c29630c9fded907563397dfa864
Instruction ID: d1dd749c7bbe4f77cd1b15bf3a14c41c32f6f15a2cb7b8e8f5897cd14a8f5338
Opcode Fuzzy Hash: efec365556794e1e56770ac21e82bbca5cdd6c29630c9fded907563397dfa864
Instruction Fuzzy Hash: C8D05EB154030EBBDB20ABA0ED0EF99B7ACA700B05F1042D0B615D20E1D6B0D6458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3A67 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(00AD3C31), ref: 00AD3A7D
SHGetPathFromIDListW.SHELL32(?,?), ref: 00AD3AD2
SHGetDesktopFolder.SHELL32(?), ref: 00AD3A8F

Part of subcall function 00AD3B1E: _wcsncpy.LIBCMT ref: 00AD3B32

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath_wcsncpy
String ID:
API String ID: 3981382179-0
Opcode ID: b6f2ea646b0ff9dec06d939071f9e24eded2076fd8e90db55290af213077407a
Instruction ID: 7e969339dbd658db90c623814c0e9c11d538d1278c4f68ae3fd554a58e16058a
Opcode Fuzzy Hash: b6f2ea646b0ff9dec06d939071f9e24eded2076fd8e90db55290af213077407a
Instruction Fuzzy Hash: A3215076B00114ABCB14DF95DC84EEEB7BDEF88740B144196F50AD7251DB309E46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF010A Relevance: 4.5, APIs: 3, Instructions: 43COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF45EC: __FF_MSGBANNER.LIBCMT ref: 00AF4603
Part of subcall function 00AF45EC: __NMSG_WRITE.LIBCMT ref: 00AF460A
Part of subcall function 00AF45EC: RtlAllocateHeap.NTDLL(00ED0000,00000000,00000001,?,?,?,?,00AF0127,?,00AD125D,00000058,?,?), ref: 00AF462F

std::exception::exception.LIBCMT ref: 00AF013E
__CxxThrowException@8.LIBCMT ref: 00AF0153

Part of subcall function 00AF7495: RaiseException.KERNEL32(?,?,00AD125D,00B86598,?,?,?,00AF0158,00AD125D,00B86598,?,00000001), ref: 00AF74E6

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: da787573c016e926592db4c13c505a48d2925776ba909e367d0a58c9fb46ae96
Instruction ID: 831f3db8f0e1283c01e6cd64936da4ac726fb6468a4f0fa3201c02a3658880e2
Opcode Fuzzy Hash: da787573c016e926592db4c13c505a48d2925776ba909e367d0a58c9fb46ae96
Instruction Fuzzy Hash: D8F0A43610421D66C725BBE8D902EFF7BEC9F04391F100665FF0496192DBB08A84D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C0D1 Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00B1C0DB

Part of subcall function 00AF45EC: __FF_MSGBANNER.LIBCMT ref: 00AF4603
Part of subcall function 00AF45EC: __NMSG_WRITE.LIBCMT ref: 00AF460A
Part of subcall function 00AF45EC: RtlAllocateHeap.NTDLL(00ED0000,00000000,00000001,?,?,?,?,00AF0127,?,00AD125D,00000058,?,?), ref: 00AF462F

_malloc.LIBCMT ref: 00B1C0EF
_malloc.LIBCMT ref: 00B1C103

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: db95fd7cb9e789c52ff20dc643abc366be1aa617846a1615629a832e725f52d6
Instruction ID: 6381208f3beaca4047f625b72d4a35e9ee97157f874b76c5846e6aafaacbfe63
Opcode Fuzzy Hash: db95fd7cb9e789c52ff20dc643abc366be1aa617846a1615629a832e725f52d6
Instruction Fuzzy Hash: 16F0A0B1388711ABC7516EF558827ABEAD89B48391F50006EF748D7202DBB4CCD08AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CFC8 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B1CC71,?,?,?,?,?,00000004), ref: 00B1CFE1
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B1CC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B1CFF7
CloseHandle.KERNEL32(00000000,?,00B1CC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B1CFFE

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 152263223c2e9d008c009e7d3b5f635025acb7a81a8b3f84b73dea4ab82d6b57
Instruction ID: d1f1581e1bf0fd777ca638d4dad7f2c36d95b85dc63a847017d88c91a834d1d3
Opcode Fuzzy Hash: 152263223c2e9d008c009e7d3b5f635025acb7a81a8b3f84b73dea4ab82d6b57
Instruction Fuzzy Hash: 71E08632140714B7D7311B54AC09FCA7F19EB09771F104250FB147A0E08BB169519798

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C450 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B1C45E

Part of subcall function 00AF28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28DE
Part of subcall function 00AF28CA: GetLastError.KERNEL32(00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28F0

_free.LIBCMT ref: 00B1C46F
_free.LIBCMT ref: 00B1C481

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
Instruction ID: 7457fbcf367636a2d253e6f6978152788c735a007a6bf05679c23c3d66205419
Opcode Fuzzy Hash: 6aa3b1e5da2832baa3565b775b747617bd0a6026d08cf9f5b5c0dfc9a3fccd7e
Instruction Fuzzy Hash: C8E0C2A224470082CA20A9B87940BF313CCAF04390B14086DF589DB242CF14E88082B8

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4010 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

_memmove.LIBCMT ref: 00AD405A

Strings

EA06, xrefs: 00B457B9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloc_memmove
String ID: EA06
API String ID: 1183979061-3962188686
Opcode ID: 3c4f09428d9a98b585a9f525c9f2d3a23e00b24eb1d576f1d04fb8b34e3ff1f3
Instruction ID: 68a435c4b6bcd2e5ab43939931637149a7308157593622865336465eca5d07e7
Opcode Fuzzy Hash: 3c4f09428d9a98b585a9f525c9f2d3a23e00b24eb1d576f1d04fb8b34e3ff1f3
Instruction Fuzzy Hash: B7416C31A081549BDF119B6489617BE7FB1DB5D300F184677FA839B383C6358E8487A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD34C1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B434AA

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: >>>AUTOIT NO CMDEXECUTE<<<
API String ID: 1029625771-2684727018
Opcode ID: 93324fd5a75bb669ff85fa3209a3872b133ba1007696526ac70d770ea99fdf8d
Instruction ID: a9734b89697aa6c73c9486bddf5d9bdb61a8b2150b17b6d9ae82eb0c2eb0bc57
Opcode Fuzzy Hash: 93324fd5a75bb669ff85fa3209a3872b133ba1007696526ac70d770ea99fdf8d
Instruction Fuzzy Hash: 6CF0C872D0020DAE8F01EFB0C9518FFB7F8AE10300B148067F81392281EB349B09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B19310 Relevance: 3.2, APIs: 2, Instructions: 215COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B193E4
_memmove.LIBCMT ref: 00B19402

Part of subcall function 00B19569: _memmove.LIBCMT ref: 00B195F7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 76e596c0f914dc8d8fb96acca557711878ff0ba8120bfd89b55d7c56f92c4b13
Instruction ID: 86db94b3f3ad10bc2a0fa75fa6e2e64009d4a86278bde50849ea2f758c69c818
Opcode Fuzzy Hash: 76e596c0f914dc8d8fb96acca557711878ff0ba8120bfd89b55d7c56f92c4b13
Instruction Fuzzy Hash: 537104711007849FCB25DF14D5A5BFA77E6EF90360FA48498E8966B382D735AC82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF461 Relevance: 3.2, APIs: 2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: f9a9c66429a6657db8ea6616564e9bb420c85087840ff5b9306d3c5dd0a647bb
Instruction ID: 34df50af86b51345a6b09b0512e9b1172ee5e45d3da2a775975d1c2555e60c43
Opcode Fuzzy Hash: f9a9c66429a6657db8ea6616564e9bb420c85087840ff5b9306d3c5dd0a647bb
Instruction Fuzzy Hash: DA51B2316043019FCB14EF69C991BAA73E5EF49320F44856EF9968B392DB30E945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B18C32 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B18C4B
_memset.LIBCMT ref: 00B18D62

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: BuffCharLower_memset
String ID:
API String ID: 819421995-0
Opcode ID: 9bb103cd4e773315ffb55c99b717a80774091d433ad452c61e5e51b894faa85b
Instruction ID: 4b919e523b7e49106330ba274e0ef9ba3c673dd4aafbade4149c7ed3a0a84743
Opcode Fuzzy Hash: 9bb103cd4e773315ffb55c99b717a80774091d433ad452c61e5e51b894faa85b
Instruction Fuzzy Hash: F141A572500309AFCB11DFA4D8819EAB7F8FF54350B60857EE556D7291EF709A80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF35E7 Relevance: 3.1, APIs: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AF367B
__flush.LIBCMT ref: 00AF369B

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __flush__getptd_noexit_memmove
String ID:
API String ID: 3662107617-0
Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
Instruction ID: 07cc3c2b3262e1b15ba5c5ab5dedba492a1c772d964c9e48000070eb73e94be1
Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
Instruction Fuzzy Hash: 0F4192B260060EAFDF58DFE9C88057F77A5AB443A0B24852DFA45C7240EA70DF408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ADBBD9 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADBC33
_memmove.LIBCMT ref: 00ADBC9E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 87bdff9e38bb1fb64760561b7d68f516a565533b3bedc0235329b379a6af7d39
Instruction ID: 8e1d2a65a789d03a9936029966dcf30d17ec8ab316076a6a01cc6cbe44ef3e35
Opcode Fuzzy Hash: 87bdff9e38bb1fb64760561b7d68f516a565533b3bedc0235329b379a6af7d39
Instruction Fuzzy Hash: C231A4B1620506EFC704CF69C8D1E69F3A8FF48320755822AE51ACB391DB30E920CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3682 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AD36E6

Part of subcall function 00AF2025: __lock.LIBCMT ref: 00AF202B

Part of subcall function 00AD32DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AD32F6
Part of subcall function 00AD32DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AD330B

Part of subcall function 00AD374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 00AD376D
Part of subcall function 00AD374E: IsDebuggerPresent.KERNEL32(?,?), ref: 00AD377F
Part of subcall function 00AD374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\file.exe,00000104,?,00B91120,C:\Users\user\Desktop\file.exe,00B91124,?,?), ref: 00AD37EE
Part of subcall function 00AD374E: SetCurrentDirectoryW.KERNEL32(?), ref: 00AD3860

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00AD3726

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
String ID:
API String ID: 924797094-0
Opcode ID: 6fbfb2dc5427441e17bfaaf34c9942c450a26f890f7ff0698c3d2c0b87ecb288
Instruction ID: de829c8c9cc6ccb2d09fc559d3c341690f0a57c1a9ab435011d2a5d3cad17061
Opcode Fuzzy Hash: 6fbfb2dc5427441e17bfaaf34c9942c450a26f890f7ff0698c3d2c0b87ecb288
Instruction Fuzzy Hash: 2411AC71808341AFC710EF6AEA05A1ABFF8FB84710F008A1FF455832B1DBB19944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4B88 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000001,?,00AD4C2B,?,?,?,?,00ADBE63), ref: 00AD4BB6
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000001,?,00AD4C2B,?,?,?,?,00ADBE63), ref: 00B44972

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e70df00f95bf737e84864206ebc2d2609cd69471304368128fac1f1767f6efce
Instruction ID: a7d29104411a73e8e569e5a73a67734e5b31ebaefb38c7b681f89d5519f4537b
Opcode Fuzzy Hash: e70df00f95bf737e84864206ebc2d2609cd69471304368128fac1f1767f6efce
Instruction Fuzzy Hash: DD01B570248308BFF3344E24CC8AF663BDCEB19768F14835ABAE56A2E0C6B05D44DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00AFF782 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00AFF7D9
__close_nolock.LIBCMT ref: 00AFF7F2

Part of subcall function 00AF886A: __getptd_noexit.LIBCMT ref: 00AF886A

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle__close_nolock
String ID:
API String ID: 1046115767-0
Opcode ID: 232fd38f7a42f46d1fb183bd7d62f3f8a7723e292bb7648b24e34ca235b78ee8
Instruction ID: 1df82274529a385d7d69595e587a99921ed5fde3dc3ca9b62e27faa8d7aaa2bd
Opcode Fuzzy Hash: 232fd38f7a42f46d1fb183bd7d62f3f8a7723e292bb7648b24e34ca235b78ee8
Instruction Fuzzy Hash: 05117C3281561C9ED7117FE8DA823787AA06F513B1F6602A1F7206B2F2CBB8590087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD34F3 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00AD352A

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

_wcscat.LIBCMT ref: 00B466C0

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: c7a67d3bc8e6ab0e882d6755c109b1772aad7510a4a9ecd692cbdde50731c743
Instruction ID: 6f9a372a3965b6c5e79132511bdc063340a9e35d9259e04910492b3fd0a6899f
Opcode Fuzzy Hash: c7a67d3bc8e6ab0e882d6755c109b1772aad7510a4a9ecd692cbdde50731c743
Instruction Fuzzy Hash: 3001847290410DAACF00EBA4DA45ADD77F9EF24348F0045E7BA17D3391EE709B859B92

Uniqueness

Uniqueness Score: -1.00%

Function 00AD318A Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00AD31AE
EnumResourceNamesW.KERNEL32(00000000,0000000E,00B17212,00000063,00000000,74921C00,?,?,00AD3118,?,?,000000FF), ref: 00B44AFE

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID:
API String ID: 1578290342-0
Opcode ID: 9d1af3613b5c4b9f05ddd7fa7c95c4dd2cc1f4cbda52a6d2c1885dca5012c6b0
Instruction ID: ef28a98a8a6c8d8a07d55607d743a717b83f599765e4d2c4fb2f4779e9514796
Opcode Fuzzy Hash: 9d1af3613b5c4b9f05ddd7fa7c95c4dd2cc1f4cbda52a6d2c1885dca5012c6b0
Instruction Fuzzy Hash: 55F06271680312B6DA204B1ABD4BF923AA9E705BB5F100A07F215A72E0DAE19580A790

Uniqueness

Uniqueness Score: -1.00%

Function 00AF4274 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

__lock_file.LIBCMT ref: 00AF42B9

Part of subcall function 00AF5A9F: __lock.LIBCMT ref: 00AF5AC2

__fclose_nolock.LIBCMT ref: 00AF42C4

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a5432717f298372408e607a87d6a3a217c5fe4bf5f05571d70b121c5baace46f
Instruction ID: 733de6fe9b8c5eb2ccc5f38c98b48cdc19cbc0a0d9bcb98b59dda8d1ead1680e
Opcode Fuzzy Hash: a5432717f298372408e607a87d6a3a217c5fe4bf5f05571d70b121c5baace46f
Instruction Fuzzy Hash: 37F0BE3190170D9AE710BBF989027BF6BE06F44334F218219BA24AB1C2CB7C99419B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AE4040 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba24e8b534b505ab8c0e69147733f98ad5642a6c089115b981356bfd54727e35
Instruction ID: 219042a14646d3f9e720e1fe548fa63c805ebbd02f1b6edf1587393725e9d63a
Opcode Fuzzy Hash: ba24e8b534b505ab8c0e69147733f98ad5642a6c089115b981356bfd54727e35
Instruction Fuzzy Hash: DE61A0B0A042469FCB00DF56C980A7AF7F9FF58310F148269E91687291D774ED95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AEEF0D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2fbfaf19890ddbf22d69e3d7f1cb228c28a428281491b6e9491b8930ca0200
Instruction ID: 64e3a59187fd278ab6a2b5e43849e3933387b86cae7db47c9d7e1b02dddef4f7
Opcode Fuzzy Hash: fc2fbfaf19890ddbf22d69e3d7f1cb228c28a428281491b6e9491b8930ca0200
Instruction Fuzzy Hash: 8A518135700214AFCF14EFA8CA91EAD77F6AF49310B1441AAF9069B392DB70EE41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ADB6D0 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADB7C2

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 073b12473ba4ef229fd1a5618d4ee7c8b008b0a8010ab5979ea0957589e2f232
Instruction ID: 8a90cda3f9c12746272fc2a3ee82eb209bb05ff2b22d2340b003cfddf3a09587
Opcode Fuzzy Hash: 073b12473ba4ef229fd1a5618d4ee7c8b008b0a8010ab5979ea0957589e2f232
Instruction Fuzzy Hash: 5A4187B9201A02DFC7249F19C481A62F7F0FF88360715C56EE99B8B761DB30E852CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD89E Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd91b8f287ce2cd6b95a7e27b139a0955930670c5f934d618a147b108bdfc76d
Instruction ID: 15e4db0d1ff24716bd7580852c0a8f22a78050576471a0359377507c7626af1b
Opcode Fuzzy Hash: cd91b8f287ce2cd6b95a7e27b139a0955930670c5f934d618a147b108bdfc76d
Instruction Fuzzy Hash: 6721A2311002459EDB3A6F69C894B3EB7E5BF00B15B20492FF483827A2DB25DC84BB01

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4EE9 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00AD4F8F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 027b551a2e2a167d1c3e837abf456d50019cb329e83f787170b832569c58b6b7
Instruction ID: a3d84a558eb1f1ff465324ba92effbe06975b2890c7853c5fd295da13e41da9d
Opcode Fuzzy Hash: 027b551a2e2a167d1c3e837abf456d50019cb329e83f787170b832569c58b6b7
Instruction Fuzzy Hash: 00315B71A00616AFCB08CF6DC584AADB7B5FF4C710F14862AE81A93760D770BDA0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF92C Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00AEF9DB

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d62a0de176377c18b259f08376ffceb76f5072482b5fea05f6badebaa6732441
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5931D270A00146AFC718DF5AD490A69FBB6FB49340B2586A5E48ACF256DB31EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00ADBD71 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADBDCF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eb8bf1ed14dff160f030c36248d9ec2bf460b290ba161b31eb7eaa086365a011
Instruction ID: 5ad88f95c0c918a6befcea0c98749dea58cc75d2e17d386d29a46db630f15f35
Opcode Fuzzy Hash: eb8bf1ed14dff160f030c36248d9ec2bf460b290ba161b31eb7eaa086365a011
Instruction Fuzzy Hash: 7E21C471610609EBDF144F25EC417697BF4EB64390F62846AE486C62A4EF309AD0E714

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD805 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADD837

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5e1f692e916149e8810aced71d72443c3e1f46070182ec931b88d6c04c4577ab
Instruction ID: 19aa872b6c999630921d0e63d4cc8f01bd3289a9c6f8525a8da21b77519b5ba8
Opcode Fuzzy Hash: 5e1f692e916149e8810aced71d72443c3e1f46070182ec931b88d6c04c4577ab
Instruction Fuzzy Hash: 38114C76600605DFC724DF28D581916BBF9FF48360720882EE98ACB761E732E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3F9B Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD3F5D: FreeLibrary.KERNEL32(00000000,?), ref: 00AD3F90

LoadLibraryExW.KERNELBASE(00000001,00000000,00000002,?,?,?,?,00AD34E2,?,00000001), ref: 00AD3FCD

Part of subcall function 00AD3E78: FreeLibrary.KERNEL32(00000000), ref: 00AD3EAB

Part of subcall function 00AD4010: _memmove.LIBCMT ref: 00AD405A

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Library$Free$Load_memmove
String ID:
API String ID: 3640140200-0
Opcode ID: c124e47908da05bf5bb6d465b2e0cd4c787dbc1616239a8c16dd53577f2e25ab
Instruction ID: e318a42ff2d84bd996bf74dc98b1fa5cdae215740e42c296ae84d858c568bdaf
Opcode Fuzzy Hash: c124e47908da05bf5bb6d465b2e0cd4c787dbc1616239a8c16dd53577f2e25ab
Instruction Fuzzy Hash: 8711E332600309ABCF20AB64DE02BAE77E59F44701F10882AF543E72C1DF759B459B51

Uniqueness

Uniqueness Score: -1.00%

Function 00AFBD14 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

___lock_fhandle.LIBCMT ref: 00AFBD73

Part of subcall function 00AF886A: __getptd_noexit.LIBCMT ref: 00AF886A

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __getptd_noexit$___lock_fhandle
String ID:
API String ID: 1144279405-0
Opcode ID: 11ce75257a9ee5f1cd2fbeb8ed20c67c1e11a6a8ea87d1e5a56d1e4ee0b9921c
Instruction ID: 97ce9a984281470957abf945ee3daa0e5b525359135d685c5d0bacc63b937347
Opcode Fuzzy Hash: 11ce75257a9ee5f1cd2fbeb8ed20c67c1e11a6a8ea87d1e5a56d1e4ee0b9921c
Instruction Fuzzy Hash: C8113D7292561C9FD7117FE4CA8637876716F41371F554240FB641B2E2DBB849008BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4CA0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,?,00000000,00000000,?,00AD4E69,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AD4CF7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 23492d3d185f3065c424925dfca825a41c68949a1f9f4e70f2d19a59921ffe77
Instruction ID: c382e0f2ecf3ca9037ef6a99e665cbe49e56a1c1a9bd10e06a9d5b1cccfefc47
Opcode Fuzzy Hash: 23492d3d185f3065c424925dfca825a41c68949a1f9f4e70f2d19a59921ffe77
Instruction Fuzzy Hash: D2112731205B459FD720CF16C884F66B7F9AF48754F10C52EE5AB86B50C7B1E855CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B130AC Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

_memmove.LIBCMT ref: 00B130E7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 366932acec891c4528913c2a7dce7149a14662fb9a334e2c1599f00e4d5e0b87
Instruction ID: 9ca8602584e12f3de707e8fcd2b447f2a846f29a448f2471d622aabd4cfd741c
Opcode Fuzzy Hash: 366932acec891c4528913c2a7dce7149a14662fb9a334e2c1599f00e4d5e0b87
Instruction Fuzzy Hash: D901D132200225ABCB249F2DC891DAB77E9EFC5754714816EF90ACB205E631E902C790

Uniqueness

Uniqueness Score: -1.00%

Function 00ADCAEE Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADCB2F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 29a87f71cf00b5c9a4eb88bb05ac2db5cc0843062bd3b0846c9779d5f9593990
Instruction ID: 4948944fd20692596ae6583e6dd27bd7138fb638676d188f9d7a06f8470aefdc
Opcode Fuzzy Hash: 29a87f71cf00b5c9a4eb88bb05ac2db5cc0843062bd3b0846c9779d5f9593990
Instruction Fuzzy Hash: 4101FE721107056ED3149B79C807E66B7A4DF447B0F90863FF55ACB2D1EB71E400C690

Uniqueness

Uniqueness Score: -1.00%

Function 00B1AD14 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

_memset.LIBCMT ref: 00B1AD49

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exception
String ID:
API String ID: 4117793777-0
Opcode ID: 498ced33603476d37db04ba7f19fb4ea43c10c0b7a5b4382d5050a6534eee571
Instruction ID: 72723573c7a461d7228bb3b93462c4ef927b71772965f915268f0ae9bc8d0e36
Opcode Fuzzy Hash: 498ced33603476d37db04ba7f19fb4ea43c10c0b7a5b4382d5050a6534eee571
Instruction Fuzzy Hash: F101F6756402049FD320EF9CD991F51BBE1EF5A310F24C5A9F6888B3A2DB72E8418F95

Uniqueness

Uniqueness Score: -1.00%

Function 00AD5116 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

CharUpperBuffW.USER32(00000000,?,00000000,?,?,?,00AD5A39,?,?,?,-00000003,00000000,00000000), ref: 00AD514E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper_malloc
String ID:
API String ID: 1573836695-0
Opcode ID: 3e2d45124887e522218c48437704c6bd04a6548658cb64d9c28945eab22d1e73
Instruction ID: c98b5ca194a431cdff5bcaa2e71a0d051a06180ba44a8054ed2a6dc4256dc1e8
Opcode Fuzzy Hash: 3e2d45124887e522218c48437704c6bd04a6548658cb64d9c28945eab22d1e73
Instruction Fuzzy Hash: DAF09675A01A21EBC7216B65C910B2EF765EF40F61F00832BF55647751CB71D821D7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00AF373E Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AF377D

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: b01b668cdb3d31caab29d8e09be651a507b8483bc4eb2bb92d884ccddc875536
Instruction ID: b461984970a933e0b0feba0da52be5d27f937c3c3fca258fcbc509b6ee50b828
Opcode Fuzzy Hash: b01b668cdb3d31caab29d8e09be651a507b8483bc4eb2bb92d884ccddc875536
Instruction Fuzzy Hash: D9F06DB290020DABDF21FFF58E067FE76A0AF003A0F148514BA149A1A1D7798B50DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD3E39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,?,?,00AD34E2,?,00000001), ref: 00AD3E6D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: dc3598e4c54385e5714b0d3c06b3bd9c50e96ed25b6664a1b0ce51527b7d1c8a
Instruction ID: 1782ef8d02248999e7fdc7c8e42b208e9cda05ac95690dca5520eae8db4203f8
Opcode Fuzzy Hash: dc3598e4c54385e5714b0d3c06b3bd9c50e96ed25b6664a1b0ce51527b7d1c8a
Instruction Fuzzy Hash: CDF015B2102741DFCF349F65D490862BBF1AF047153248A7FE1D782661CB319944DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00B179F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B17A11

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 73dd9655fdba9b8a93e5dfb6bf188b044bc109e94cd38d81dc75fa5369dfb122
Instruction ID: c3a3ea898ca318ccdb30da929c37115d0001ba08407789e667e17e6e0cda5e87
Opcode Fuzzy Hash: 73dd9655fdba9b8a93e5dfb6bf188b044bc109e94cd38d81dc75fa5369dfb122
Instruction Fuzzy Hash: 2DD05EA66002282FDBA4E6249C09EFB36ADC744104F0006E1786DD2142ED20AE4586E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD50EC Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00AD50BE,?,00AD5088,?,00ADBE3D,00B922E8,?,00000000,?,00AD3E2E,?,00000000,?), ref: 00AD510C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 95d5bf5aa4c284034745ba3e1abebbbc1ecd2f43863edf9abfd1af249cfa32c3
Instruction ID: 293974b2ace8f47472e5d984c8716e1b1aeabb492ebe1f0bbefd44bbc78ae7d3
Opcode Fuzzy Hash: 95d5bf5aa4c284034745ba3e1abebbbc1ecd2f43863edf9abfd1af249cfa32c3
Instruction Fuzzy Hash: 6CE0B675800B02CFC2318F2AE804412FBF5FFE13613218B2FD0E682660DBB05886DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4FB3 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B449DA,?,?,00000000), ref: 00AD4FC4

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5f5fd19d575c2473750493c353df6154b83fa3fe2616c4f80bf1d1ed9c919655
Instruction ID: fa0598cd38f0a39ae20ba88614976c2da1229969d0e2ea46b96f689e8bb51190
Opcode Fuzzy Hash: 5f5fd19d575c2473750493c353df6154b83fa3fe2616c4f80bf1d1ed9c919655
Instruction Fuzzy Hash: 26D0C974640308BFEB10CB91DC46F9A7BBCEB04718F600194F600A62E0D6F2BE408B55

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2011 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00AF201B

Part of subcall function 00AF1EE2: __lock.LIBCMT ref: 00AF1EF0
Part of subcall function 00AF1EE2: __initterm.LIBCMT ref: 00AF1FB8
Part of subcall function 00AF1EE2: __initterm.LIBCMT ref: 00AF1FC9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __initterm$__lock_doexit
String ID:
API String ID: 480483908-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 0e8be171341d3f252e9f0898de2fe5d168055e13beda0057f57e56cc291688d1
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: 28B0123158030C73D9102DC1EC03F257B0C4750B50F200020FF0C1C1E1E593B56442C9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B3F5D0 Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 630
windowkeyboardCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00B3F5D0(struct HWND__* _a4, int _a8, long _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				intOrPtr _v124;
				long _v128;
				signed int _v132;
				char _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				struct tagPOINT _v156;
				signed int _v157;
				struct tagPOINT _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				void* __ebx;
				signed int _t204;
				long _t206;
				signed int _t207;
				long _t208;
				intOrPtr _t210;
				signed int _t212;
				signed int _t216;
				intOrPtr _t217;
				signed int _t220;
				intOrPtr _t223;
				signed int _t226;
				intOrPtr _t228;
				intOrPtr _t235;
				intOrPtr _t238;
				signed int _t242;
				intOrPtr _t245;
				signed int _t255;
				intOrPtr _t256;
				intOrPtr _t258;
				long _t262;
				intOrPtr _t265;
				signed int _t271;
				signed int _t274;
				intOrPtr _t275;
				signed int _t277;
				signed int _t285;
				intOrPtr _t288;
				signed int _t292;
				long _t300;
				signed int _t322;
				intOrPtr _t323;
				intOrPtr _t328;
				intOrPtr _t333;
				signed int _t338;
				signed int _t340;
				short _t342;
				short _t343;
				short _t345;
				signed int _t347;
				signed int _t354;
				long _t355;
				signed int _t362;
				int _t369;
				intOrPtr _t375;
				intOrPtr _t378;
				intOrPtr _t379;
				intOrPtr _t381;
				struct HMENU__* _t384;
				struct HMENU__* _t386;
				intOrPtr _t391;
				signed int _t403;
				intOrPtr _t404;
				intOrPtr _t405;
				long _t407;
				intOrPtr _t410;
				signed int _t412;
				signed int _t414;
				struct tagPOINT* _t419;
				intOrPtr _t420;
				long _t422;
				signed int _t423;
				intOrPtr _t424;
				struct HWND__* _t425;
				void* _t430;
				void* _t431;

				_t204 = L00AEAF7D(0xb91810, _a4);
				_t375 =  *0xb91870; // 0x0
				_t407 = _a12;
				_v148 = _t204;
				_t410 =  *((intOrPtr*)( *((intOrPtr*)(_t375 + _t204 * 4))));
				_t206 =  *(_t407 + 8);
				_v124 = _t410;
				_t430 = _t206 - 0xfffffe6e;
				if(_t430 > 0) {
					__eflags = _t206 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t206 - 0xfffffff4;
						if(_t206 == 0xfffffff4) {
							_t207 = E00AEB155(0xb91810,  *_t407);
							_v168 = _t207;
							__eflags = _t207 - 0xffffffff;
							if(_t207 == 0xffffffff) {
								L8:
								_t208 = DefDlgProcW(_a4, 0x4e, _a8, _t407);
								L9:
								return _t208;
							}
							_t378 =  *0xb91884; // 0xeee1e8
							_t379 =  *((intOrPtr*)( *((intOrPtr*)(_t378 + _t207 * 4))));
							_t210 =  *((intOrPtr*)(_t379 + 0x90));
							__eflags = _t210 - 0x10;
							if(_t210 == 0x10) {
								L100:
								_t212 =  *((intOrPtr*)(_t407 + 0xc)) - 1;
								__eflags = _t212;
								if(_t212 == 0) {
									_t208 = 0x20;
									goto L9;
								}
								__eflags = _t212 != 0x10000;
								if(_t212 != 0x10000) {
									goto L8;
								}
								_t362 = 0;
								__eflags =  *((intOrPtr*)(_t379 + 0x48)) - 0xfe000000;
								if( *((intOrPtr*)(_t379 + 0x48)) == 0xfe000000) {
									_t362 = 1;
									__eflags = 1;
								}
								_t216 = L00ADCF2C(0xb91810,  *((intOrPtr*)(_t407 + 0x2c)),  &_v144,  &_v164);
								__eflags = _t216;
								if(_t216 != 0) {
									_t217 =  *0xb91884; // 0xeee1e8
									_t412 = _v164.x;
									_t220 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t217 + _t412 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t220 & 0x08000000;
									if((_t220 & 0x08000000) != 0) {
										goto L105;
									}
									__eflags =  *(_t407 + 0x28) & 0x00000011;
									_t381 =  *0xb91884; // 0xeee1e8
									if(( *(_t407 + 0x28) & 0x00000011) == 0) {
										L109:
										_t223 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4)))) + 0x4c));
										__eflags = _t223 - 0xffffffff;
										if(_t223 != 0xffffffff) {
											 *((intOrPtr*)(_t407 + 0x30)) = _t223;
											_t381 =  *0xb91884; // 0xeee1e8
										}
										_t226 =  *( *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4)))) + 0x48);
										__eflags = _t226;
										if(_t226 < 0) {
											goto L105;
										} else {
											__eflags = _t362;
											if(_t362 == 0) {
												L114:
												 *(_t407 + 0x34) = _t226;
												goto L105;
											}
											__eflags =  *(_t407 + 0x24) & 0x00000001;
											if(( *(_t407 + 0x24) & 0x00000001) == 0) {
												goto L105;
											}
											goto L114;
										}
									}
									_t228 =  *((intOrPtr*)( *((intOrPtr*)(_t381 + _t412 * 4))));
									__eflags =  *((char*)(_t228 + 0x90)) - 0x14;
									if( *((char*)(_t228 + 0x90)) != 0x14) {
										goto L8;
									}
									goto L109;
								} else {
									L105:
									_t208 = 0;
									goto L9;
								}
							}
							__eflags = _t210 - 0x13;
							if(_t210 != 0x13) {
								goto L8;
							}
							goto L100;
						}
						__eflags = _t206 - 0xfffffffb;
						if(_t206 == 0xfffffffb) {
							_v157 = 0;
							E00AEB736(0xb91810, _t410, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t407,  &_v164);
							_t414 = E00AEB155(0xb91810,  *_t407);
							_v176 = _t414;
							__eflags = _t414 - 0xffffffff;
							if(_t414 != 0xffffffff) {
								L78:
								_t235 =  *0xb91884; // 0xeee1e8
								_v148 = _t414;
								_t238 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t235 + _t414 * 4)))) + 0x90));
								__eflags = _t238 - 0x10;
								if(_t238 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t242 = SendMessageW( *_t407, 0x1111, 0,  &_v140);
									__eflags = _t242;
									if(_t242 == 0) {
										L95:
										ClientToScreen( *_t407,  &_v156);
										_t245 =  *0xb91884; // 0xeee1e8
										_t384 =  *( *((intOrPtr*)( *((intOrPtr*)(_t245 + _t414 * 4)))) + 0xc);
										__eflags = _t384;
										if(_t384 == 0) {
											goto L8;
										}
										TrackPopupMenuEx(_t384, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L36:
										_t208 = 1;
										goto L9;
									}
									_v92 = _t242;
									_v96 = 4;
									SendMessageW( *_t407, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L95;
									}
									_t255 = L00ADCF2C(0xb91810, _v60,  &_v144,  &_v164);
									__eflags = _t255;
									if(_t255 == 0) {
										L94:
										_t414 = _v148;
										goto L95;
									}
									_t414 = _v164.x;
									_t256 =  *0xb91884; // 0xeee1e8
									_t258 =  *((intOrPtr*)( *((intOrPtr*)(_t256 + _t414 * 4))));
									__eflags =  *(_t258 + 0xc);
									if( *(_t258 + 0xc) != 0) {
										goto L95;
									}
									goto L94;
								}
								__eflags = _t238 - 0x13;
								if(_t238 != 0x13) {
									goto L8;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t262 = SendMessageW( *_t407, 0x1012, 0,  &_v116);
								__eflags = _t262 - 0xffffffff;
								if(_t262 <= 0xffffffff) {
									L88:
									ClientToScreen( *_t407,  &_v156);
									_t265 =  *0xb91884; // 0xeee1e8
									_t386 =  *( *((intOrPtr*)( *((intOrPtr*)(_t265 + _t414 * 4)))) + 0xc);
									__eflags = _t386;
									if(_t386 != 0) {
										TrackPopupMenuEx(_t386, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L8;
								}
								__eflags = _v157;
								if(_v157 != 0) {
									goto L88;
								}
								_v52 = _t262;
								_v56 = 4;
								_t271 = SendMessageW( *_t407, 0x104b, 0,  &_v56);
								__eflags = _t271;
								if(_t271 == 0) {
									goto L8;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L88;
								}
								_t274 = L00ADCF2C(0xb91810, _v24,  &_v144,  &_v164);
								__eflags = _t274;
								if(_t274 == 0) {
									L87:
									_t414 = _v148;
									goto L88;
								}
								_t414 = _v164.x;
								_t275 =  *0xb91884; // 0xeee1e8
								_t277 =  *( *(_t275 + _t414 * 4));
								__eflags = _t277;
								if(_t277 == 0) {
									goto L87;
								}
								__eflags =  *(_t277 + 0xc);
								if( *(_t277 + 0xc) != 0) {
									goto L88;
								}
								goto L87;
							}
							_t414 = E00AEB155(0xb91810, GetParent( *_t407));
							_v168 = _t414;
							__eflags = _t414 - 0xffffffff;
							if(_t414 == 0xffffffff) {
								goto L8;
							}
							_v157 = 1;
							goto L78;
						}
						__eflags = _t206 - 0xfffffffe;
						if(_t206 != 0xfffffffe) {
							goto L8;
						}
						E00AEB736(0xb91810, _t410, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t407,  &_v164);
						_t285 = E00AEB155(0xb91810,  *_t407);
						__eflags = _t285 - 0xffffffff;
						if(_t285 == 0xffffffff) {
							goto L8;
						}
						_t391 =  *0xb91884; // 0xeee1e8
						_t288 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t391 + _t285 * 4)))) + 0x90));
						__eflags = _t288 - 0x10;
						if(_t288 < 0x10) {
							goto L8;
						}
						__eflags = _t288 - 0x11;
						if(_t288 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t292 = SendMessageW( *_t407, 0x1111, 0,  &_v140);
							__eflags = _t292;
							if(_t292 != 0) {
								_v92 = _t292;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t407, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t407, 0x110b, 9, 0);
									SendMessageW( *_t407, 0x110b, 9, _v128);
								}
							}
							goto L8;
						}
						__eflags = _t288 - 0x13;
						if(_t288 != 0x13) {
							goto L8;
						}
						_v116 = _v156;
						_v112 = _v156.y;
						_t300 = SendMessageW( *_t407, 0x1012, 0,  &_v116);
						__eflags = _t300 - 0xffffffff;
						if(_t300 == 0xffffffff) {
							goto L8;
						}
						_v52 = _t300;
						_v56 = 4;
						SendMessageW( *_t407, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L8;
						}
						_push(0);
						_push(_v24);
						L44:
						L00B3DE72();
						goto L8;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L8;
					}
					__eflags = _t206 - 0xfffffec0;
					if(_t206 == 0xfffffec0) {
						L60:
						InvalidateRect( *_t407, 0, 1);
						goto L8;
					}
					__eflags = _t206 - 0xfffffed4;
					if(_t206 == 0xfffffed4) {
						goto L60;
					}
					__eflags = _t206 - 0xffffff93;
					if(_t206 == 0xffffff93) {
						ImageList_SetDragCursorImage( *0xb918bc, 0, 0, 0);
						ImageList_BeginDrag( *0xb918bc, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0xb918c0 = _a8;
						_v140 = 0;
						_v132 = 0;
						_v128 = 1;
						E00AE2570( &_v140);
						_v128 = 1;
						_v140 = _a8;
						E00ADCAEE(0,  &_v116, __eflags, L"@GUI_DRAGID");
						E00ADD380( &_v120,  &_v144, 1, 2);
						E00AD5CD3( &_v136);
						_t419 = _t407 + 0x20;
						ClientToScreen( *_t407, _t419);
						ImageList_DragEnter(0,  *_t419,  *(_t407 + 0x24));
						E00AE2570( &(_v164.y));
					} else {
						__eflags = _t206 - 0xffffff94;
						if(_t206 == 0xffffff94) {
							_t420 =  *((intOrPtr*)(_t407 + 4));
							_t322 = L00ADCF2C(0xb91810, _t420,  &_v144,  &_v164);
							__eflags = _t322;
							if(_t322 != 0) {
								_t323 =  *0xb91884; // 0xeee1e8
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t323 + _v164.x * 4)))) + 0x96)) =  *(_t407 + 0x10);
								L00B3DE72( *((intOrPtr*)(_t407 + 4)), 0);
								_t404 =  *0xb91884; // 0xeee1e8
								_t399 = _v172;
								_t328 =  *((intOrPtr*)( *((intOrPtr*)(_t404 + _v172 * 4))));
								__eflags =  *(_t328 + 0x28);
								if( *(_t328 + 0x28) > 0) {
									 *0xb9184c = _t420;
									E00ADC935(0xb91850,  *((intOrPtr*)( *((intOrPtr*)(_t404 + _t399 * 4)))) + 0x24);
									_t333 =  *0xb91884; // 0xeee1e8
									 *0xb91860 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t333 + _v168 * 4)))) + 0x98));
									SendMessageW( *_t407, 0x1030,  *(_t407 + 0x10), 0xb3de69);
								}
							}
						}
					}
					goto L8;
				}
				if(_t430 == 0) {
					L45:
					_t369 = 0;
					_t338 = SendMessageW( *_t407, 0x110a, 9, 0);
					__eflags = _t338;
					if(_t338 == 0) {
						goto L8;
					}
					_v92 = _t338;
					_v96 = 4;
					_t340 = SendMessageW( *_t407, 0x113e, 0,  &_v96);
					__eflags = _t340;
					if(_t340 == 0) {
						goto L8;
					}
					__eflags =  *(_t407 + 0x34) -  *((intOrPtr*)(_t407 + 0x5c));
					if( *(_t407 + 0x34) ==  *((intOrPtr*)(_t407 + 0x5c))) {
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t407 + 0xc)) - 0x1000;
					if( *((intOrPtr*)(_t407 + 0xc)) == 0x1000) {
						goto L8;
					}
					__eflags =  *((intOrPtr*)(_t407 + 0xc)) - 1;
					L26:
					if(__eflags == 0) {
						goto L8;
					}
					_push(_t369);
					_push(_v60);
					goto L44;
				}
				_t431 = _t206 - 0xfffffdd9;
				if(_t431 > 0) {
					__eflags = _t206 - 0xfffffdda;
					if(_t206 == 0xfffffdda) {
						_t342 = GetKeyState(0x11);
						__eflags = _t342;
						if(_t342 >= 0) {
							goto L8;
						}
						_t343 = GetKeyState(9);
						__eflags = _t343;
						if(_t343 >= 0) {
							goto L8;
						}
						_t422 = SendMessageW( *_t407, 0x130b, 0, 0);
						_t345 = GetKeyState(0x10);
						__eflags = _t345;
						if(_t345 >= 0) {
							_t423 = _t422 + 1;
							__eflags = _t423;
						} else {
							_t423 = _t422 - 1;
						}
						_push(_t423);
						L43:
						_push( *((intOrPtr*)(_t407 + 4)));
						goto L44;
					}
					__eflags = _t206 - 0xfffffdee;
					if(_t206 == 0xfffffdee) {
						__eflags =  *(_t410 + 0x188);
						if( *(_t410 + 0x188) == 0) {
							goto L8;
						}
						_t405 =  *0xb91894; // 0x2
						_t403 = 3;
						__eflags = _t405 - 0xfffffdd9;
						if(_t405 < 0xfffffdd9) {
							goto L8;
						}
						_t424 =  *0xb91884; // 0xeee1e8
						do {
							_t347 =  *( *(_t424 + _t403 * 4));
							__eflags = _t347;
							if(_t347 == 0) {
								goto L33;
							}
							__eflags = ( *(_t347 + 0x93) & 0x000000ff) -  *((intOrPtr*)(_t407 + 4));
							if(( *(_t347 + 0x93) & 0x000000ff) ==  *((intOrPtr*)(_t407 + 4))) {
								break;
							}
							L33:
							_t403 = _t403 + 1;
							__eflags = _t403 - _t405;
						} while (_t403 <= _t405);
						__eflags = _t403 - _t405;
						if(_t403 > _t405) {
							goto L8;
						}
						L00AF2C1D(_t407 + 0x10,  *((intOrPtr*)( *( *(_t424 + _t403 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						 *((short*)(_t407 + 0xae)) = 0;
						goto L36;
					}
					__eflags = _t206 - 0xfffffe3d;
					if(_t206 == 0xfffffe3d) {
						goto L45;
					}
					__eflags = _t206 - 0xfffffe64;
					if(_t206 != 0xfffffe64) {
						goto L8;
					}
					_t425 =  *_t407;
					_t354 = GetWindowLongW(_t425, 0xfffffff0);
					__eflags = _t354 & 0x00000100;
					if((_t354 & 0x00000100) == 0) {
						goto L8;
					}
					__eflags =  *((short*)(_t407 + 0xc)) - 0x20;
					if( *((short*)(_t407 + 0xc)) != 0x20) {
						goto L8;
					}
					_t369 = 0;
					_t355 = SendMessageW(_t425, 0x110a, 9, 0);
					__eflags = _t355;
					if(_t355 == 0) {
						goto L8;
					}
					_v92 = _t355;
					_v96 = 4;
					__eflags = SendMessageW(_t425, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t431 == 0) {
					__eflags = 0;
					_t206 = SendMessageW( *_t407, 0x130b, 0, 0);
					L17:
					_push(_t206);
					goto L43;
				}
				if(_t206 == 0xfffffd09) {
					__eflags =  *((char*)(_t410 + 0x199));
					 *((char*)(_t410 + 0x19a)) = 1;
					if( *((char*)(_t410 + 0x199)) != 0) {
						goto L8;
					} else {
						 *((char*)(_t410 + 0x19a)) = 0;
						_push( *(_t407 + 8));
						goto L43;
					}
				}
				if(_t206 == 0xfffffd0e) {
					 *((char*)(_t410 + 0x199)) = 1;
					goto L8;
				}
				if(_t206 == 0xfffffd0f) {
					__eflags =  *((char*)(_t410 + 0x19a)) - 1;
					if( *((char*)(_t410 + 0x19a)) == 1) {
						L00B3DE72( *((intOrPtr*)(_t407 + 4)), _t206);
					}
					 *((short*)(_t410 + 0x199)) = 0;
					goto L8;
				}
				if(_t206 == 0xfffffd16) {
					goto L17;
				}
				goto L8;
			}

0x00b3f5e9
0x00b3f5ee
0x00b3f5f4
0x00b3f5f7
0x00b3f603
0x00b3f605
0x00b3f608
0x00b3f60c
0x00b3f60e
0x00b3f86f
0x00b3f872
0x00b3fa10
0x00b3fa13
0x00b3fd96
0x00b3fd9b
0x00b3fd9f
0x00b3fda2
0x00b3f645
0x00b3f64e
0x00b3f654
0x00b3f65a
0x00b3f65a
0x00b3fda8
0x00b3fdb1
0x00b3fdb3
0x00b3fdb9
0x00b3fdbb
0x00b3fdc5
0x00b3fdc8
0x00b3fdc8
0x00b3fdc9
0x00b3fe7a
0x00000000
0x00b3fe7a
0x00b3fdcf
0x00b3fdd4
0x00000000
0x00000000
0x00b3fdda
0x00b3fddc
0x00b3fde3
0x00b3fde5
0x00b3fde5
0x00b3fde5
0x00b3fdf9
0x00b3fdfe
0x00b3fe00
0x00b3fe09
0x00b3fe0e
0x00b3fe1c
0x00b3fe22
0x00b3fe27
0x00000000
0x00000000
0x00b3fe29
0x00b3fe2d
0x00b3fe33
0x00b3fe47
0x00b3fe4c
0x00b3fe4f
0x00b3fe52
0x00b3fe54
0x00b3fe57
0x00b3fe57
0x00b3fe62
0x00b3fe65
0x00b3fe67
0x00000000
0x00b3fe69
0x00b3fe69
0x00b3fe6b
0x00b3fe73
0x00b3fe73
0x00000000
0x00b3fe73
0x00b3fe6d
0x00b3fe71
0x00000000
0x00000000
0x00000000
0x00b3fe71
0x00b3fe67
0x00b3fe38
0x00b3fe3a
0x00b3fe41
0x00000000
0x00000000
0x00000000
0x00b3fe02
0x00b3fe02
0x00b3fe02
0x00000000
0x00b3fe02
0x00b3fe00
0x00b3fdbd
0x00b3fdbf
0x00000000
0x00000000
0x00000000
0x00b3fdbf
0x00b3fa19
0x00b3fa1c
0x00b3fb73
0x00b3fb77
0x00b3fb81
0x00b3fb8e
0x00b3fb9d
0x00b3fb9f
0x00b3fba3
0x00b3fba6
0x00b3fbcf
0x00b3fbcf
0x00b3fbd4
0x00b3fbdd
0x00b3fbe3
0x00b3fbe5
0x00b3fcd1
0x00b3fcd9
0x00b3fcea
0x00b3fcf0
0x00b3fcf2
0x00b3fd50
0x00b3fd57
0x00b3fd5d
0x00b3fd67
0x00b3fd6a
0x00b3fd6c
0x00000000
0x00000000
0x00b3fd87
0x00b3f7b4
0x00b3f7b6
0x00000000
0x00b3f7b6
0x00b3fcf4
0x00b3fd05
0x00b3fd0d
0x00b3fd13
0x00b3fd18
0x00000000
0x00000000
0x00b3fd30
0x00b3fd35
0x00b3fd37
0x00b3fd4c
0x00b3fd4c
0x00000000
0x00b3fd4c
0x00b3fd39
0x00b3fd3d
0x00b3fd45
0x00b3fd47
0x00b3fd4a
0x00000000
0x00000000
0x00000000
0x00b3fd4a
0x00b3fbeb
0x00b3fbed
0x00000000
0x00000000
0x00b3fbf7
0x00b3fbff
0x00b3fc10
0x00b3fc16
0x00b3fc19
0x00b3fc8f
0x00b3fc96
0x00b3fc9c
0x00b3fca6
0x00b3fca9
0x00b3fcab
0x00b3fcc2
0x00b3fcc2
0x00000000
0x00b3fcab
0x00b3fc1b
0x00b3fc1f
0x00000000
0x00000000
0x00b3fc21
0x00b3fc35
0x00b3fc40
0x00b3fc46
0x00b3fc48
0x00000000
0x00000000
0x00b3fc4e
0x00b3fc53
0x00000000
0x00000000
0x00b3fc6b
0x00b3fc70
0x00b3fc72
0x00b3fc8b
0x00b3fc8b
0x00000000
0x00b3fc8b
0x00b3fc74
0x00b3fc78
0x00b3fc80
0x00b3fc82
0x00b3fc84
0x00000000
0x00000000
0x00b3fc86
0x00b3fc89
0x00000000
0x00000000
0x00000000
0x00b3fc89
0x00b3fbbb
0x00b3fbbd
0x00b3fbc1
0x00b3fbc4
0x00000000
0x00000000
0x00b3fbca
0x00000000
0x00b3fbca
0x00b3fa22
0x00b3fa25
0x00000000
0x00000000
0x00b3fa30
0x00b3fa3a
0x00b3fa47
0x00b3fa51
0x00b3fa56
0x00b3fa59
0x00000000
0x00000000
0x00b3fa5f
0x00b3fa6a
0x00b3fa70
0x00b3fa72
0x00000000
0x00000000
0x00b3fa78
0x00b3fa7a
0x00b3faf7
0x00b3faff
0x00b3fb12
0x00b3fb14
0x00b3fb16
0x00b3fb1c
0x00b3fb2d
0x00b3fb35
0x00b3fb3d
0x00b3fb3f
0x00b3fb44
0x00b3fb55
0x00b3fb60
0x00b3fb60
0x00b3fb44
0x00000000
0x00b3fb16
0x00b3fa7c
0x00b3fa7e
0x00000000
0x00000000
0x00b3fa8e
0x00b3fa96
0x00b3faa9
0x00b3faab
0x00b3faae
0x00000000
0x00000000
0x00b3fab4
0x00b3fac8
0x00b3fad3
0x00b3fad5
0x00b3fada
0x00000000
0x00000000
0x00b3fae0
0x00b3fae1
0x00b3f804
0x00b3f804
0x00000000
0x00b3f804
0x00b3f878
0x00b3fa05
0x00000000
0x00b3fa05
0x00b3f87e
0x00b3f883
0x00b3f9f4
0x00b3f9fa
0x00000000
0x00b3f9fa
0x00b3f889
0x00b3f88e
0x00000000
0x00000000
0x00b3f894
0x00b3f897
0x00b3f956
0x00b3f967
0x00b3f970
0x00b3f97d
0x00b3f982
0x00b3f986
0x00b3f98a
0x00b3f992
0x00b3f9a6
0x00b3f9aa
0x00b3f9ae
0x00b3f9c0
0x00b3f9c9
0x00b3f9ce
0x00b3f9d4
0x00b3f9e0
0x00b3f9ea
0x00b3f89d
0x00b3f89d
0x00b3f8a0
0x00b3f8a6
0x00b3f8b6
0x00b3f8bb
0x00b3f8bd
0x00b3f8c3
0x00b3f8d8
0x00b3f8e2
0x00b3f8e7
0x00b3f8ed
0x00b3f8f4
0x00b3f8f6
0x00b3f8f9
0x00b3f8ff
0x00b3f913
0x00b3f918
0x00b3f931
0x00b3f940
0x00b3f940
0x00b3f8f9
0x00b3f8bd
0x00b3f8a0
0x00000000
0x00b3f897
0x00b3f614
0x00b3f80e
0x00b3f814
0x00b3f820
0x00b3f822
0x00b3f824
0x00000000
0x00000000
0x00b3f82a
0x00b3f83b
0x00b3f843
0x00b3f845
0x00b3f847
0x00000000
0x00000000
0x00b3f850
0x00b3f853
0x00000000
0x00000000
0x00b3f859
0x00b3f860
0x00000000
0x00000000
0x00b3f866
0x00b3f73f
0x00b3f73f
0x00000000
0x00000000
0x00b3f745
0x00b3f746
0x00000000
0x00b3f746
0x00b3f61f
0x00b3f621
0x00b3f6b9
0x00b3f6be
0x00b3f7c4
0x00b3f7c6
0x00b3f7c9
0x00000000
0x00000000
0x00b3f7d1
0x00b3f7d3
0x00b3f7d6
0x00000000
0x00000000
0x00b3f7ef
0x00b3f7f1
0x00b3f7f7
0x00b3f7fa
0x00b3f7ff
0x00b3f7ff
0x00b3f7fc
0x00b3f7fc
0x00b3f7fc
0x00b3f800
0x00b3f801
0x00b3f801
0x00000000
0x00b3f801
0x00b3f6c4
0x00b3f6c9
0x00b3f74f
0x00b3f756
0x00000000
0x00000000
0x00b3f75c
0x00b3f764
0x00b3f765
0x00b3f767
0x00000000
0x00000000
0x00b3f76d
0x00b3f773
0x00b3f776
0x00b3f778
0x00b3f77a
0x00000000
0x00000000
0x00b3f783
0x00b3f786
0x00000000
0x00000000
0x00b3f788
0x00b3f788
0x00b3f789
0x00b3f789
0x00b3f78d
0x00b3f78f
0x00000000
0x00000000
0x00b3f7a3
0x00b3f7ab
0x00b3f7ad
0x00000000
0x00b3f7ad
0x00b3f6cf
0x00b3f6d4
0x00000000
0x00000000
0x00b3f6da
0x00b3f6df
0x00000000
0x00000000
0x00b3f6e5
0x00b3f6ea
0x00b3f6f0
0x00b3f6f5
0x00000000
0x00000000
0x00b3f6fb
0x00b3f700
0x00000000
0x00000000
0x00b3f706
0x00b3f711
0x00b3f717
0x00b3f719
0x00000000
0x00000000
0x00b3f71f
0x00b3f72f
0x00b3f73d
0x00000000
0x00b3f73d
0x00b3f627
0x00b3f6a2
0x00b3f6ad
0x00b3f6b3
0x00b3f6b3
0x00000000
0x00b3f6b3
0x00b3f62e
0x00b3f683
0x00b3f68a
0x00b3f691
0x00000000
0x00b3f693
0x00b3f693
0x00b3f69a
0x00000000
0x00b3f69a
0x00b3f691
0x00b3f635
0x00b3f67a
0x00000000
0x00b3f67a
0x00b3f63c
0x00b3f65d
0x00b3f664
0x00b3f66a
0x00b3f66a
0x00b3f671
0x00000000
0x00b3f671
0x00b3f643
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 00B3F64E
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3F6AD
GetWindowLongW.USER32(?,000000F0), ref: 00B3F6EA
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3F711
SendMessageW.USER32 ref: 00B3F737
_wcsncpy.LIBCMT ref: 00B3F7A3
GetKeyState.USER32(00000011), ref: 00B3F7C4
GetKeyState.USER32(00000009), ref: 00B3F7D1
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3F7E7
GetKeyState.USER32(00000010), ref: 00B3F7F1
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3F820
SendMessageW.USER32 ref: 00B3F843
SendMessageW.USER32(?,00001030,?,00B3DE69), ref: 00B3F940
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 00B3F956
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B3F967
SetCapture.USER32(?), ref: 00B3F970
ClientToScreen.USER32(?,?), ref: 00B3F9D4
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B3F9E0
InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 00B3F9FA
ReleaseCapture.USER32(?,?,?,?), ref: 00B3FA05
GetCursorPos.USER32(?), ref: 00B3FA3A
ScreenToClient.USER32 ref: 00B3FA47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3FAA9
SendMessageW.USER32 ref: 00B3FAD3
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3FB12
SendMessageW.USER32 ref: 00B3FB3D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B3FB55
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B3FB60
GetCursorPos.USER32(?), ref: 00B3FB81
ScreenToClient.USER32 ref: 00B3FB8E
GetParent.USER32(?), ref: 00B3FBAA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3FC10
SendMessageW.USER32 ref: 00B3FC40
ClientToScreen.USER32(?,?), ref: 00B3FC96
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B3FCC2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3FCEA
SendMessageW.USER32 ref: 00B3FD0D
ClientToScreen.USER32(?,?), ref: 00B3FD57
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B3FD87
GetWindowLongW.USER32(?,000000F0), ref: 00B3FE1C

Strings

@GUI_DRAGID, xrefs: 00B3F99D
, xrefs: 00B3F76D, 00B3F8C3, 00B3F8E7, 00B3F918, 00B3FA5F, 00B3FBCF, 00B3FC78, 00B3FC9C, 00B3FD3D, 00B3FD5D, 00B3FDA8, 00B3FE09, 00B3FE2D, 00B3FE57
F, xrefs: 00B3FD13

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$
API String ID: 2516578528-1884987827
Opcode ID: dfb8d95be272ca2ae7f239ad487f63d281cc252b976cb3db8bfaa20ca9da0c87
Instruction ID: 2d091d2edf35e6bba840d972ea467dccaf625660d4b94fc07269b3278d190bb8
Opcode Fuzzy Hash: dfb8d95be272ca2ae7f239ad487f63d281cc252b976cb3db8bfaa20ca9da0c87
Instruction Fuzzy Hash: 6632AC71A04302AFDB20DF68C984ABABBE5FF48354F240AA9F655872B1DB30DC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A8DC Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 574
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00B3A8DC(signed int _a4, long _a8, WCHAR* _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				WCHAR* _v36;
				intOrPtr _v40;
				signed char _v44;
				long _v48;
				void* _v52;
				signed int _v72;
				intOrPtr _v80;
				WCHAR* _v84;
				intOrPtr _v88;
				unsigned int _v92;
				intOrPtr _v96;
				long _v100;
				void* _v104;
				signed short _v114;
				signed short _v118;
				void* _v120;
				char _v124;
				signed int _v128;
				signed int _v140;
				void* _v148;
				void* _v152;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v188;
				intOrPtr _v196;
				char _v200;
				void* __ebx;
				void* __edi;
				intOrPtr _t168;
				signed int _t170;
				signed int _t171;
				signed int _t178;
				long _t185;
				signed int _t187;
				void* _t190;
				short _t193;
				WCHAR* _t195;
				signed int _t199;
				signed int _t205;
				signed int _t222;
				WCHAR* _t226;
				signed int _t227;
				long _t235;
				signed int _t237;
				signed int _t243;
				signed int _t246;
				long _t248;
				signed int _t250;
				signed int _t257;
				int _t258;
				long _t260;
				long _t262;
				int _t265;
				signed int _t267;
				long _t269;
				signed int _t274;
				long _t276;
				int _t282;
				WCHAR* _t283;
				struct HWND__** _t287;
				WCHAR* _t294;
				struct HWND__** _t297;
				signed char _t323;
				signed int _t327;
				WCHAR* _t340;
				signed int _t341;
				signed int _t345;
				signed int _t347;
				signed int _t350;
				signed int _t352;
				void* _t358;
				int _t359;
				long _t363;
				struct HWND__* _t370;
				signed int _t372;
				struct HWND__** _t373;
				WCHAR* _t375;
				int _t376;
				signed int _t379;

				if(L00ADCF2C(0xb91810, _a4,  &_v124,  &_v12) != 0) {
					_t168 =  *0xb91884; // 0xeee1e8
					_t282 = _a8;
					 *_t282 =  *_t282 | 0xffffffff;
					_t287 =  *( *(_t168 + _v12 * 4));
					_t170 = _t287[0x24] & 0x000000ff;
					_t370 =  *_t287;
					_v12 = _t287;
					_a8 = _t370;
					__eflags = _t170 - 0x11;
					if(__eflags > 0) {
						__eflags = _t170 - 0x12;
						if(_t170 == 0x12) {
							__eflags = 0;
							_push(0);
							_push(0);
							_push(0x400);
							L88:
							_t171 = SendMessageW(_t370, ??, ??, ??);
							L89:
							 *_t282 = _t171;
							goto L90;
						}
						__eflags = _t170 - 0x13;
						if(_t170 == 0x13) {
							 *_t282 = SendMessageW(_t370, 0x100c, 0xffffffff, 2);
							E00AF1970( &_v104, 0, 0x34);
							_v100 =  *_t282;
							_v104 = 4;
							_t178 = SendMessageW(_a8, 0x104b, 0,  &_v104);
							asm("sbb eax, eax");
							_t171 =  ~_t178 & _v72;
							goto L89;
						}
						__eflags = _t170 - 0x14;
						if(_t170 == 0x14) {
							 *_t282 =  *_t282 | 0xffffffff;
							_a8 = GetWindowLongW(_t287[0xd], 0xffffffec);
							E00AF1970( &_v104, 0, 0x34);
							_t372 = _v12;
							_v140 = _a4;
							_v148 = 1;
							_t185 = SendMessageW( *(_t372 + 0x34), 0x1053, 0xffffffff,  &_v148);
							_v100 = _t185;
							__eflags = _t185 - 0xffffffff;
							if(_t185 == 0xffffffff) {
								goto L90;
							}
							__eflags = _a8 & 0x00000004;
							if(__eflags == 0) {
								L81:
								_t283 = E00AF010A(_t282, _t287, 0, __eflags, 0x2000);
								_t340 = _t283;
								__eflags = 0 -  *((intOrPtr*)(_t372 + 0x94));
								_a12 = _t340;
								_v104 = 1;
								_v80 = 0xfff;
								_t187 = 0;
								while(1) {
									_a4 = _t187;
									_v96 = _t187;
									_push( &_v104);
									_push(0);
									_push(0x104b);
									_push( *(_t372 + 0x34));
									_v84 = _t340;
									if(__eflags >= 0) {
										break;
									}
									SendMessageW();
									_t190 = E00AF18FB(_a12);
									_v80 = 0xffe;
									__eflags = 0xffe - _t190;
									if(0xffe - _t190 <= 0) {
										L26:
										return _t283;
									}
									_t294 =  &(_t283[E00AF18FB(_t283)]);
									_t193 =  *0xb91824; // 0x7c
									 *_t294 = _t193;
									_t294[1] = 0;
									_t195 = CharNextW(_t294);
									_t340 = _t195;
									_a12 = _t195;
									_t187 = _a4 + 1;
									__eflags = _t187 -  *((short*)(_t372 + 0x94));
								}
								SendMessageW();
								goto L26;
							}
							__eflags = _a12;
							if(__eflags == 0) {
								goto L81;
							}
							_v104 = 8;
							_v88 = 0xf000;
							_t199 = SendMessageW( *(_t372 + 0x34), 0x104b, 0,  &_v104);
							__eflags = _t199;
							if(_t199 == 0) {
								goto L90;
							}
							asm("sbb eax, eax");
							_t171 = ( ~((_v92 >> 0xc) - 1) & 0xfffffffd) + 4;
							goto L89;
						}
						__eflags = _t170 - 0x15;
						if(_t170 == 0x15) {
							_t373 =  &(_t287[0x1c]);
							_a12 = _t373;
							_t205 = E00ADD2C0(_t373, 4);
							_t297 = _t373;
							__eflags = _t205;
							if(_t205 == 0) {
								_t171 = L00ADCDB4(_t297);
								goto L89;
							}
							E00AD84A6(_t205, _t297);
							_t341 = 2;
							_t358 = E00AF010A(_t282,  ~(0 | __eflags > 0x00000000) | ( *((intOrPtr*)(_t373[2] + 4)) + 0x00000001) * _t341, 0, __eflags,  ~(0 | __eflags > 0x00000000) | ( *((intOrPtr*)(_t373[2] + 4)) + 0x00000001) * _t341);
							E00AD84A6(E00AD84A6(_t211, _t373), _a12);
							L00AD3B1E(_t358,  *(_a12[4]),  *((intOrPtr*)(_t373[2] + 4)) + 1);
							return _t358;
						}
						__eflags = _t170 - 0x18;
						if(__eflags <= 0) {
							L72:
							_t100 = SendMessageW(_t370, 0xe, 0, 0) + 1; // 0x1
							_t359 = _t100;
							_t345 = 2;
							_t375 = E00AF010A(_t282,  ~(0 | __eflags > 0x00000000) | _t359 * _t345, _t359, __eflags,  ~(0 | __eflags > 0x00000000) | _t359 * _t345);
							GetWindowTextW(_a8, _t375, _t359);
							L13:
							return _t375;
						}
						__eflags = _t170 - 0x1a;
						if(_t170 <= 0x1a) {
							__eflags = _a12;
							_push(0);
							_push(0);
							if(__eflags == 0) {
								_t222 = SendMessageW(_t370, 0xf0, ??, ??);
								 *_t282 = _t222;
								__eflags = _t222;
								if(_t222 == 0) {
									 *_t282 = 4;
								}
								goto L90;
							}
							_t89 = SendMessageW(_t370, 0xe, ??, ??) + 1; // 0x1
							_t376 = _t89;
							_t347 = 2;
							_t226 = E00AF010A(_t282,  ~(0 | __eflags > 0x00000000) | _t376 * _t347, 0, __eflags,  ~(0 | __eflags > 0x00000000) | _t376 * _t347);
							_a12 = _t226;
							_t227 = GetWindowTextW(_a8, _t226, _t376);
							__eflags = _t227;
							if(_t227 != 0) {
								return _a12;
							}
							_push(_a12);
							 *_t282 = 0;
							L28:
							L00AF017E();
							goto L90;
						}
						__eflags = _t170 - 0x1c;
						if(__eflags != 0) {
							goto L72;
						}
						__eflags = SendMessageW(_t370, 0x1001, 0,  &_v120);
						if(__eflags == 0) {
							 *_t282 = 0;
							goto L90;
						}
						_t375 = E00AF010A(_t282, _t287, 0, __eflags, 0x16);
						wsprintfW(_t375, L"%d/%02d/%02d", _v120 & 0x0000ffff, _v118 & 0x0000ffff, _v114 & 0x0000ffff);
						goto L13;
					}
					if(__eflags == 0) {
						_v48 = _t287[4];
						 *_t282 = 0;
						_t235 = GetWindowLongW(_t287[0xd], 0xfffffff0);
						__eflags = _a12;
						_a4 = _t235;
						_v52 = 8;
						_v40 = 0xf000;
						if(__eflags == 0) {
							_t237 = SendMessageW( *(_v12 + 0x34), 0x113e, 0,  &_v52);
							__eflags = _t237;
							if(_t237 != 0) {
								_t323 = _v44;
								__eflags = _a4 & 0x00000100;
								if((_a4 & 0x00000100) != 0) {
									asm("sbb eax, eax");
									_t243 = ( ~((_t323 >> 0xc) - 1) & 0xfffffffd) + 4;
									__eflags = _t243;
									 *_t282 = _t243;
								}
								__eflags = _t323 & 0x00000002;
								if((_t323 & 0x00000002) != 0) {
									 *_t282 =  *_t282 | 0x00000100;
									__eflags =  *_t282;
								}
								__eflags = _t323 & 0x00000020;
								if((_t323 & 0x00000020) != 0) {
									 *_t282 =  *_t282 | 0x00000400;
									__eflags =  *_t282;
								}
								__eflags = _t323 & 0x00000010;
								if((_t323 & 0x00000010) != 0) {
									 *_t282 =  *_t282 | 0x00000200;
								}
							}
							goto L90;
						}
						_t283 = E00AF010A(_t282, _t287, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push( *(_v12 + 0x34));
						L25:
						_v32 = 0xfff;
						_v36 = _t283;
						_v52 = 1;
						_t246 = SendMessageW(??, ??, ??, ??);
						__eflags = _t246;
						if(_t246 == 0) {
							_push(_t283);
							goto L28;
						}
						goto L26;
					}
					__eflags = _t170 - 0xa;
					if(__eflags > 0) {
						__eflags = _t170 - 0xc;
						if(_t170 == 0xc) {
							 *_t282 =  *_t282 & 0;
							goto L90;
						}
						__eflags = _t170 - 0xd;
						if(__eflags <= 0) {
							goto L72;
						}
						__eflags = _t170 - 0xf;
						if(_t170 <= 0xf) {
							__eflags = IsMenu(_t287[3]);
							if(__eflags == 0) {
								goto L90;
							}
							_t248 = E00AF010A(_t282, _t287, 0, __eflags, 0x208);
							__eflags = _a12;
							_t379 = _v12;
							_t363 = _t248;
							_a8 = _t363;
							_v200 = 0x30;
							_push( &_v200);
							if(_a12 == 0) {
								_v196 = 1;
								_t250 = GetMenuItemInfoW( *(_t379 + 0xc), _a4, 0, ??);
								_push(_t363);
								__eflags = _t250;
								if(_t250 == 0) {
									goto L28;
								}
								L00AF017E();
								_t327 = _v188;
								asm("sbb eax, eax");
								_t257 = ( ~(_t327 & 0x00000003) & 0x00000040) + 0x40;
								 *_t282 = _t327;
								__eflags = _t327 & 0x00008080;
								if((_t327 & 0x00008080) != 0) {
									_t257 = _t257 | 0x00000100;
									__eflags = _t257;
								}
								__eflags = _t327 & 0x00000008;
								if((_t327 & 0x00000008) == 0) {
									_t171 = _t257 | 0x00000004;
									__eflags = _t171;
								} else {
									_t171 = _t257 | 0x00000001;
								}
								__eflags = _t327 & 0x00001000;
								if((_t327 & 0x00001000) != 0) {
									_t171 = _t171 | 0x00000200;
								}
								goto L89;
							}
							_v164 = _t363;
							_v196 = 0x10;
							_v160 = 0x104;
							_t258 = GetMenuItemInfoW( *(_t379 + 0xc), _a4, 0, ??);
							__eflags = _t258;
							if(_t258 != 0) {
								return _a8;
							}
							_push(_a8);
							 *_t282 = 0;
							goto L28;
						}
						__eflags = _t170 - 0x10;
						if(__eflags != 0) {
							goto L72;
						}
						 *_t282 = 0;
						_t260 = SendMessageW(_t370, 0x110a, 9, 0);
						__eflags = _t260;
						if(_t260 == 0) {
							goto L90;
						}
						__eflags = _a12;
						_v48 = _t260;
						_v52 = 4;
						if(__eflags == 0) {
							_t262 = SendMessageW(_t370, 0x113e, 0,  &_v52);
							__eflags = _t262;
							if(_t262 == 0) {
								goto L90;
							}
							_t171 = _v16;
							goto L89;
						}
						_t283 = E00AF010A(_t282, _t287, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push(_t370);
						goto L25;
					}
					if(__eflags == 0) {
						_t265 = SendMessageW(_t370, 0x130b, 0, 0);
						__eflags = _a12;
						 *_t282 = _t265;
						if(_a12 == 0) {
							goto L90;
						}
						_v152 = 8;
						SendMessageW(_t370, 0x133c, _t265,  &_v152);
						_t171 = _v128;
						goto L89;
					}
					_t267 = _t170;
					__eflags = _t267;
					if(_t267 == 0) {
						_t282 = SendMessageW(_t370, 0x147, 0, 0);
						__eflags = _t282 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						}
						_t269 = SendMessageW(_t370, 0x149, _t282, 0);
						_t350 = 2;
						_t375 = E00AF010A(_t282,  ~(0 | __eflags > 0x00000000) | (_t269 + 0x00000001) * _t350, SendMessageW, __eflags,  ~(0 | __eflags > 0x00000000) | (_t269 + 0x00000001) * _t350);
						_push(_t375);
						_push(_t282);
						_push(0x148);
						L12:
						SendMessageW(_a8, ??, ??, ??);
						goto L13;
					}
					_t274 = _t267 - 1;
					__eflags = _t274;
					if(_t274 == 0) {
						_t282 = SendMessageW(_t370, 0x188, 0, 0);
						__eflags = _t282 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						} else {
							_t276 = SendMessageW(_t370, 0x18a, _t282, 0);
							_t352 = 2;
							_t338 =  ~(__eflags > 0) | (_t276 + 0x00000001) * _t352;
							_t375 = E00AF010A(_t282, _t338, SendMessageW,  ~(__eflags > 0) | (_t276 + 0x00000001) * _t352, _t338);
							_push(_t375);
							_push(_t282);
							_push(0x189);
							goto L12;
						}
					}
					__eflags = _t274 - 7;
					if(__eflags != 0) {
						goto L72;
					} else {
						_push(0);
						_push(0);
						_push(0x408);
						goto L88;
					}
				} else {
					 *_a8 =  *_a8 & 0x00000000;
					L90:
					return 0;
				}
			}

0x00b3a8ff
0x00b3a90f
0x00b3a914
0x00b3a91a
0x00b3a91d
0x00b3a921
0x00b3a928
0x00b3a92a
0x00b3a92d
0x00b3a930
0x00b3a933
0x00b3aca0
0x00b3aca3
0x00b3afd1
0x00b3afd3
0x00b3afd4
0x00b3afd5
0x00b3afda
0x00b3afdb
0x00b3afe1
0x00b3afe1
0x00000000
0x00b3afe1
0x00b3aca9
0x00b3acac
0x00b3af9c
0x00b3afa5
0x00b3afaf
0x00b3afbf
0x00b3afc6
0x00b3afca
0x00b3afcc
0x00000000
0x00b3afcc
0x00b3acb2
0x00b3acb5
0x00b3ae3f
0x00b3ae4f
0x00b3ae59
0x00b3ae61
0x00b3ae67
0x00b3ae7e
0x00b3ae88
0x00b3ae8e
0x00b3ae91
0x00b3ae94
0x00000000
0x00000000
0x00b3ae9a
0x00b3ae9e
0x00b3aee5
0x00b3aeef
0x00b3aef2
0x00b3aef6
0x00b3aefd
0x00b3af00
0x00b3af07
0x00b3af0e
0x00b3af65
0x00b3af65
0x00b3af68
0x00b3af6e
0x00b3af6f
0x00b3af70
0x00b3af75
0x00b3af78
0x00b3af7b
0x00000000
0x00000000
0x00b3af12
0x00b3af1b
0x00b3af28
0x00b3af2b
0x00b3af2d
0x00b3aaca
0x00000000
0x00b3aaca
0x00b3af3a
0x00b3af3d
0x00b3af43
0x00b3af49
0x00b3af4d
0x00b3af5a
0x00b3af5c
0x00b3af62
0x00b3af63
0x00b3af63
0x00b3af7d
0x00000000
0x00b3af7d
0x00b3aea0
0x00b3aea4
0x00000000
0x00000000
0x00b3aeb3
0x00b3aeba
0x00b3aec1
0x00b3aec7
0x00b3aec9
0x00000000
0x00000000
0x00b3aed8
0x00b3aedd
0x00000000
0x00b3aedd
0x00b3acbb
0x00b3acbe
0x00b3adce
0x00b3add5
0x00b3add8
0x00b3addd
0x00b3addf
0x00b3ade1
0x00b3ae35
0x00000000
0x00b3ae35
0x00b3ade3
0x00b3adf3
0x00b3ae06
0x00b3ae18
0x00b3ae28
0x00000000
0x00b3ae2e
0x00b3acc4
0x00b3acc7
0x00b3ad97
0x00b3ada2
0x00b3ada2
0x00b3ada9
0x00b3adbd
0x00b3adc3
0x00b3a9b7
0x00000000
0x00b3a9b7
0x00b3accd
0x00b3acd0
0x00b3ad27
0x00b3ad2b
0x00b3ad2c
0x00b3ad2d
0x00b3ad7c
0x00b3ad82
0x00b3ad84
0x00b3ad86
0x00b3ad8c
0x00b3ad8c
0x00000000
0x00b3ad86
0x00b3ad38
0x00b3ad38
0x00b3ad3f
0x00b3ad4c
0x00b3ad57
0x00b3ad5a
0x00b3ad60
0x00b3ad62
0x00000000
0x00b3ad6e
0x00b3ad64
0x00b3ad67
0x00b3aad2
0x00b3aad2
0x00000000
0x00b3aad7
0x00b3acd2
0x00b3acd5
0x00000000
0x00000000
0x00b3acee
0x00b3acf0
0x00b3ad1e
0x00000000
0x00b3ad1e
0x00b3ad08
0x00b3ad10
0x00000000
0x00b3ad16
0x00b3a939
0x00b3abf9
0x00b3abfc
0x00b3abfe
0x00b3ac04
0x00b3ac08
0x00b3ac0b
0x00b3ac12
0x00b3ac19
0x00b3ac4d
0x00b3ac53
0x00b3ac55
0x00b3ac5b
0x00b3ac63
0x00b3ac66
0x00b3ac70
0x00b3ac75
0x00b3ac75
0x00b3ac78
0x00b3ac78
0x00b3ac7a
0x00b3ac7d
0x00b3ac7f
0x00b3ac7f
0x00b3ac7f
0x00b3ac81
0x00b3ac84
0x00b3ac86
0x00b3ac86
0x00b3ac86
0x00b3ac8c
0x00b3ac8f
0x00b3ac95
0x00b3ac95
0x00b3ac8f
0x00000000
0x00b3ac55
0x00b3ac29
0x00b3ac2e
0x00b3ac2f
0x00b3ac30
0x00b3ac35
0x00b3aaaf
0x00b3aaaf
0x00b3aab6
0x00b3aab9
0x00b3aac0
0x00b3aac6
0x00b3aac8
0x00b3aad1
0x00000000
0x00b3aad1
0x00000000
0x00b3aac8
0x00b3a93f
0x00b3a942
0x00b3aa48
0x00b3aa4b
0x00b3abe8
0x00000000
0x00b3abe8
0x00b3aa51
0x00b3aa54
0x00000000
0x00000000
0x00b3aa5a
0x00b3aa5d
0x00b3ab07
0x00b3ab09
0x00000000
0x00000000
0x00b3ab14
0x00b3ab19
0x00b3ab1d
0x00b3ab20
0x00b3ab29
0x00b3ab2c
0x00b3ab36
0x00b3ab37
0x00b3ab7d
0x00b3ab8a
0x00b3ab90
0x00b3ab91
0x00b3ab93
0x00000000
0x00000000
0x00b3ab99
0x00b3ab9f
0x00b3abae
0x00b3abb3
0x00b3abb6
0x00b3abb8
0x00b3abbe
0x00b3abc0
0x00b3abc0
0x00b3abc0
0x00b3abc5
0x00b3abc8
0x00b3abcf
0x00b3abcf
0x00b3abca
0x00b3abca
0x00b3abca
0x00b3abd2
0x00b3abd8
0x00b3abde
0x00b3abde
0x00000000
0x00b3abd8
0x00b3ab39
0x00b3ab45
0x00b3ab52
0x00b3ab5c
0x00b3ab62
0x00b3ab64
0x00000000
0x00b3ab70
0x00b3ab66
0x00b3ab69
0x00000000
0x00b3ab69
0x00b3aa63
0x00b3aa66
0x00000000
0x00000000
0x00b3aa77
0x00b3aa79
0x00b3aa7f
0x00b3aa81
0x00000000
0x00000000
0x00b3aa87
0x00b3aa8b
0x00b3aa8e
0x00b3aa95
0x00b3aae8
0x00b3aaee
0x00b3aaf0
0x00000000
0x00000000
0x00b3aaf6
0x00000000
0x00b3aaf6
0x00b3aaa2
0x00b3aaa7
0x00b3aaa8
0x00b3aaa9
0x00b3aaae
0x00000000
0x00b3aaae
0x00b3a948
0x00b3aa18
0x00b3aa1a
0x00b3aa1e
0x00b3aa20
0x00000000
0x00000000
0x00b3aa34
0x00b3aa3e
0x00b3aa40
0x00000000
0x00b3aa40
0x00b3a94e
0x00b3a94e
0x00b3a950
0x00b3a9cc
0x00b3a9ce
0x00b3a9d1
0x00000000
0x00000000
0x00b3a9e5
0x00b3a9ec
0x00b3a9fd
0x00b3a9ff
0x00b3aa00
0x00b3aa01
0x00b3a9b2
0x00b3a9b5
0x00000000
0x00b3a9b5
0x00b3a952
0x00b3a952
0x00b3a953
0x00b3a978
0x00b3a97a
0x00b3a97d
0x00000000
0x00b3a983
0x00b3a991
0x00b3a998
0x00b3a9a0
0x00b3a9a9
0x00b3a9ab
0x00b3a9ac
0x00b3a9ad
0x00000000
0x00b3a9ad
0x00b3a97d
0x00b3a955
0x00b3a958
0x00000000
0x00b3a95e
0x00b3a95e
0x00b3a95f
0x00b3a960
0x00000000
0x00b3a960
0x00b3a901
0x00b3a904
0x00b3afe3
0x00000000
0x00b3afe3

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00B3AFDB

Strings

%d/%02d/%02d, xrefs: 00B3AD0A
, xrefs: 00B3A90F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d$
API String ID: 3850602802-2664856528
Opcode ID: a5d914ff325ce26ff0ea101acf7123c0257115460fd97399d24cdcc9ccb448ef
Instruction ID: c69207ed03521047521a074392224977fde5f5ecc5397a5afa77075af2f7a920
Opcode Fuzzy Hash: a5d914ff325ce26ff0ea101acf7123c0257115460fd97399d24cdcc9ccb448ef
Instruction Fuzzy Hash: 2F12BFB1500208ABEB259F68CD89FAE7BF8EF45310F304299F595EB2D1DB708941CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF78E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000), ref: 00AEF796
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B44388
IsIconic.USER32 ref: 00B44391
ShowWindow.USER32(000000FF,00000009), ref: 00B4439E
SetForegroundWindow.USER32(000000FF), ref: 00B443A8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B443BE
GetCurrentThreadId.KERNEL32 ref: 00B443C5
GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00B443D1
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B443E2
AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00B443EA
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B443F2
SetForegroundWindow.USER32(000000FF), ref: 00B443F5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4440A
keybd_event.USER32 ref: 00B44415
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4441F
keybd_event.USER32 ref: 00B44424
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4442D
keybd_event.USER32 ref: 00B44432
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4443C
keybd_event.USER32 ref: 00B44441
SetForegroundWindow.USER32(000000FF), ref: 00B44444
AttachThreadInput.USER32(000000FF,?,00000000), ref: 00B4446B

Strings

Shell_TrayWnd, xrefs: 00B44383

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b26bcc6efe348803b7f3e8f1f87029a025db9a105eb627aa0bb525baebe872a6
Instruction ID: 00e98bff7c78080e861c6b2146035ff7da533f611c656c4eca75416a36aab9e8
Opcode Fuzzy Hash: b26bcc6efe348803b7f3e8f1f87029a025db9a105eb627aa0bb525baebe872a6
Instruction Fuzzy Hash: FB317271A40318BBEB306B719C89F7E3EACEB44B51F1041A5FA05EB1D0DBB05D51AAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B9F1 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00B0BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0BF0F
Part of subcall function 00B0BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0BF3C
Part of subcall function 00B0BEC3: GetLastError.KERNEL32 ref: 00B0BF49

_memset.LIBCMT ref: 00B0BA34
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B0BA86
CloseHandle.KERNEL32(?), ref: 00B0BA97
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B0BAAE
GetProcessWindowStation.USER32 ref: 00B0BAC7
SetProcessWindowStation.USER32(00000000), ref: 00B0BAD1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B0BAEB

Part of subcall function 00B0B8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B0B9EC), ref: 00B0B8C5
Part of subcall function 00B0B8B0: CloseHandle.KERNEL32(?,?,00B0B9EC), ref: 00B0B8D7

Strings

winsta0, xrefs: 00B0BAA9
, xrefs: 00B0BA43
default, xrefs: 00B0BAE6

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 4f0c75d4ccd73304a8d2d948c4ffb619a2b28643d125392b7ded845c18be8645
Instruction ID: fc1d3d4a43c7ec1c5e8abb84519a746245427fbb1f83e3c95e28ec9d238652c5
Opcode Fuzzy Hash: 4f0c75d4ccd73304a8d2d948c4ffb619a2b28643d125392b7ded845c18be8645
Instruction Fuzzy Hash: 60814771900209AFEF219FA4CD85EEEBFB9EF08304F184599F915B61A1DB318E15DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B22044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74CB61D0,?,00000000), ref: 00B22065
_wcscmp.LIBCMT ref: 00B2207A
_wcscmp.LIBCMT ref: 00B22091
GetFileAttributesW.KERNEL32(?), ref: 00B220A3
SetFileAttributesW.KERNEL32(?,?), ref: 00B220BD
FindNextFileW.KERNEL32(00000000,?), ref: 00B220D5
FindClose.KERNEL32(00000000), ref: 00B220E0
FindFirstFileW.KERNEL32(*.*,?), ref: 00B220FC
_wcscmp.LIBCMT ref: 00B22123
_wcscmp.LIBCMT ref: 00B2213A
SetCurrentDirectoryW.KERNEL32(?), ref: 00B2214C
SetCurrentDirectoryW.KERNEL32(00B83A68), ref: 00B2216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B22174
FindClose.KERNEL32(00000000), ref: 00B22181
FindClose.KERNEL32(00000000), ref: 00B22191

Strings

*.*, xrefs: 00B220F7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 099c344286c6d0f67172a1510a5cb43c57a28bbd23b83230479d48bec54d2afc
Instruction ID: 94c0bb75f990c66d5c0034f26d1104589d4c0bf6bd8b89ea949b31bfb974c372
Opcode Fuzzy Hash: 099c344286c6d0f67172a1510a5cb43c57a28bbd23b83230479d48bec54d2afc
Instruction Fuzzy Hash: 6A3180319002297ADB24EBA4EC49FEE77ECDF09351F1441D6FA14E30A0EA74DA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B2219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74CB61D0,?,00000000), ref: 00B221C0
_wcscmp.LIBCMT ref: 00B221D5
_wcscmp.LIBCMT ref: 00B221EC

Part of subcall function 00B17606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B17621

FindNextFileW.KERNEL32(00000000,?), ref: 00B2221B
FindClose.KERNEL32(00000000), ref: 00B22226
FindFirstFileW.KERNEL32(*.*,?), ref: 00B22242
_wcscmp.LIBCMT ref: 00B22269
_wcscmp.LIBCMT ref: 00B22280
SetCurrentDirectoryW.KERNEL32(?), ref: 00B22292
SetCurrentDirectoryW.KERNEL32(00B83A68), ref: 00B222B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B222BA
FindClose.KERNEL32(00000000), ref: 00B222C7
FindClose.KERNEL32(00000000), ref: 00B222D7

Strings

*.*, xrefs: 00B2223D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ae8c02818ddb5cf5ba39d4ec285814a978fbaf744b401ca9541cdfa1e69ba1a3
Instruction ID: 1a7e2f84d8112d62cfbfa46007270b798d279ba6eea92186d99060b7ae1d61d2
Opcode Fuzzy Hash: ae8c02818ddb5cf5ba39d4ec285814a978fbaf744b401ca9541cdfa1e69ba1a3
Instruction Fuzzy Hash: E7318231901629BACB24EBA4EC48FDE77ECDF45321F1402D5E914E31A0EA75DE85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B398 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B8E7: GetUserObjectSecurity.USER32 ref: 00B0B903
Part of subcall function 00B0B8E7: GetLastError.KERNEL32(?,00B0B3CB,?,?,?), ref: 00B0B90D
Part of subcall function 00B0B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00B0B3CB,?,?,?), ref: 00B0B91C
Part of subcall function 00B0B8E7: HeapAlloc.KERNEL32(00000000,?,00B0B3CB,?,?,?), ref: 00B0B923
Part of subcall function 00B0B8E7: GetUserObjectSecurity.USER32 ref: 00B0B93A

Part of subcall function 00B0B982: GetProcessHeap.KERNEL32(00000008,00B0B3E1,00000000,00000000,?,00B0B3E1,?), ref: 00B0B98E
Part of subcall function 00B0B982: HeapAlloc.KERNEL32(00000000,?,00B0B3E1,?), ref: 00B0B995
Part of subcall function 00B0B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B0B3E1,?), ref: 00B0B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B0B3FC
_memset.LIBCMT ref: 00B0B411
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B0B430
GetLengthSid.ADVAPI32(?), ref: 00B0B441
GetAce.ADVAPI32(?,00000000,?), ref: 00B0B47E
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B0B49A
GetLengthSid.ADVAPI32(?), ref: 00B0B4B7
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B0B4C6
HeapAlloc.KERNEL32(00000000), ref: 00B0B4CD
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B0B4EE
CopySid.ADVAPI32(00000000), ref: 00B0B4F5
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B0B526
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B0B54C
SetUserObjectSecurity.USER32 ref: 00B0B560

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: e9e968abf38c0a6863994937eb75e34844d8c147182ac757bc959cfcc8825f02
Instruction ID: a0835be0930a4218b0845abf232dc192f63be6d4411c1856e6c18ae1099b523b
Opcode Fuzzy Hash: e9e968abf38c0a6863994937eb75e34844d8c147182ac757bc959cfcc8825f02
Instruction Fuzzy Hash: 2C512871900209AFDF10DFA4DC55EEEBBB9FF04301F0482A9F915AB2A1DB359A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B224A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B224F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B22526
_wcscmp.LIBCMT ref: 00B2253A
_wcscmp.LIBCMT ref: 00B22555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B225F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B22609

Strings

*.*, xrefs: 00B224D8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 2bb5dfff440543720ad2406ccd48d86e2032d5d677e227f85e168d4e849c955e
Instruction ID: 688592c107b11bf3d52bf639ae8450a81f9999035ac7e803f89e0dfe6fbcd3d8
Opcode Fuzzy Hash: 2bb5dfff440543720ad2406ccd48d86e2032d5d677e227f85e168d4e849c955e
Instruction Fuzzy Hash: D3416D7190421AAFCF25DFA4DD59AEEBBF4FF14310F144496E819E2291EB309A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AD8530 Relevance: 11.0, APIs: 7, Instructions: 531COMMON

Download Yara Rule

APIs

Part of subcall function 00ADA2FB: _memmove.LIBCMT ref: 00ADA33D

_memmove.LIBCMT ref: 00AD8672
_memmove.LIBCMT ref: 00AD86C2
_memmove.LIBCMT ref: 00AD8728

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 79bf02d7ff987720de3176de2d80db0319a683b9d05f78a5ebcb634b1aab0996
Instruction ID: 41164f53a443033280b81c93304fe4c41af6a9bc29755049d41d26e30f41eec5
Opcode Fuzzy Hash: 79bf02d7ff987720de3176de2d80db0319a683b9d05f78a5ebcb634b1aab0996
Instruction Fuzzy Hash: 8D126B70A00609DFDF14DFA5DA81AAEB7F5FF48300F60856AE806E7251EB35AE11DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B182D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0BF0F
Part of subcall function 00B0BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0BF3C
Part of subcall function 00B0BEC3: GetLastError.KERNEL32 ref: 00B0BF49

ExitWindowsEx.USER32 ref: 00B1830C

Strings

, xrefs: 00B182FA
@, xrefs: 00B182FF
SeShutdownPrivilege, xrefs: 00B182DA

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7fa20f52ad34b2cefe9411be83e06f65faeb0761656652d5517dfbb85ebfbb89
Instruction ID: 25723e4fbbab465eae2d3d41a7f3b23e0b6bfa342d37b6851a56f22e71fbdd1c
Opcode Fuzzy Hash: 7fa20f52ad34b2cefe9411be83e06f65faeb0761656652d5517dfbb85ebfbb89
Instruction Fuzzy Hash: C1018471640311ABE7692678AC8AFFB76D8FB04F81F5809E4F963D60D1DE609C8181A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B11050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B110B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B110EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B110FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B11181

Strings

DllGetClassObject, xrefs: 00B110F4

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b80edbcd81b69634adbe3626e104ab7396bfbe5a92c4985d8550fa3c097a9711
Instruction ID: 816c08f1aa3faa3c941bad5c154866554d561c2b3f3c56a015f0affae010b616
Opcode Fuzzy Hash: b80edbcd81b69634adbe3626e104ab7396bfbe5a92c4985d8550fa3c097a9711
Instruction Fuzzy Hash: C6415BB1600204AFDB15CF58C884BDABBE9EF45350B5485E9EB09EF205D7B1D994CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA0C0 Relevance: 8.0, APIs: 5, Instructions: 514COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

_memmove.LIBCMT ref: 00B43020
_memmove.LIBCMT ref: 00B43135
_memmove.LIBCMT ref: 00B431DC

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3956474712-0
Opcode ID: d319ea4772084b2666135f6474273334edc9c4a3a579de005a22de21bb2bd7af
Instruction ID: 7398e4b37831a99c23e827e6e76cfa70cac93bdce981db8f06dc606e7bdd23b1
Opcode Fuzzy Hash: d319ea4772084b2666135f6474273334edc9c4a3a579de005a22de21bb2bd7af
Instruction Fuzzy Hash: 88029E70A00209DBCF04DF65C981AAEBBF5EF58300F5481AAF806DB365EB35DA15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1F350 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B1F37A
_wcscmp.LIBCMT ref: 00B1F3AA
_wcscmp.LIBCMT ref: 00B1F3BF
FindNextFileW.KERNEL32(00000000,?), ref: 00B1F3D0
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B1F3FE

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 90e3e03e3a98c376a29cfd3283cc68032626819a4f853a0672246cdf9d8998f3
Instruction ID: f7307746ed796ae2279dc0881136b08dfc6523a22c5b69913442cb4511e74a4c
Opcode Fuzzy Hash: 90e3e03e3a98c376a29cfd3283cc68032626819a4f853a0672246cdf9d8998f3
Instruction Fuzzy Hash: 8D419F356047029FC708DF68C490AEAB7E4FF49324F5042AEF55ACB3A1DB75A981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B113A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,00000000,00B11371,?,00B11519), ref: 00B113B4
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00B113C6

Strings

oleaut32.dll, xrefs: 00B113AF
UnRegisterTypeLibForUser, xrefs: 00B113C0

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: UnRegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1587604923
Opcode ID: 3a950d7318a5aa1049a610eb6a7131c0bda7428a55686a15c4e82d518781bada
Instruction ID: 0c7c1d8aa1bfc0654194fc55c22bc65205cda85a1e6b1bcadd782c9e6fc2705d
Opcode Fuzzy Hash: 3a950d7318a5aa1049a610eb6a7131c0bda7428a55686a15c4e82d518781bada
Instruction Fuzzy Hash: 47D0A730400713AFD7311F38F80874136E8EB40705F0048DAE665E2574DE70C4C0CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B14342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B1439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B143B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00B14425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00B14483

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9fa75c43070931ca6fda50664ed981ad6d73f6c208be8e5e5c1e3c1b500fe398
Instruction ID: 1cb36436f89b6ab54bc38236f6c5df185b5459c6d4637a0957441aa2ad2362be
Opcode Fuzzy Hash: 9fa75c43070931ca6fda50664ed981ad6d73f6c208be8e5e5c1e3c1b500fe398
Instruction Fuzzy Hash: 9A4123B0A00248AAEF309B65A848BFDBBF5EB55711F8401DAF481933C1CB748EC59765

Uniqueness

Uniqueness Score: -1.00%

Function 00B1220C Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B1221E

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Strings

|, xrefs: 00B1224E
(, xrefs: 00B12264

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _malloclstrlen
String ID: ($|
API String ID: 3912106968-1631851259
Opcode ID: 2dd9834ab13413c0b8308fdf3b898811fecbe325a0c70f123cb45a6299562298
Instruction ID: a9b6629c9fa36074976da6a413c35beca28b27e4b64e917f5bce8be8719410ac
Opcode Fuzzy Hash: 2dd9834ab13413c0b8308fdf3b898811fecbe325a0c70f123cb45a6299562298
Instruction Fuzzy Hash: B6322775A006059FC728CF69C480AAAF7F0FF48320B51C5AEE59ADB3A1D770E991CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00B170AE Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B170D8
DeviceIoControl.KERNEL32 ref: 00B17115
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B1711E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 40c8d939d7d1e12604c8fea1e9510f31984c9ba11a988ca0970bb7b172d18d92
Instruction ID: 9c98161681a0d8ed5391f23d413727e6d0d7ec0c36eb62cdd6e2d7cbb313e211
Opcode Fuzzy Hash: 40c8d939d7d1e12604c8fea1e9510f31984c9ba11a988ca0970bb7b172d18d92
Instruction Fuzzy Hash: 1D11C2B1940228BFE7108BA8DC45FEFB6FCEB08714F000686B900F7190C6749E4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD6670 Relevance: 4.1, APIs: 2, Instructions: 1093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD67D0

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b649b99168cef48bfe8a192d63bd2e047badb4d047d159fd5d220b7db40ed127
Instruction ID: 187012b501be5c69c1232c890a98d2833f5737b5d61457405aed250a852a47d4
Opcode Fuzzy Hash: b649b99168cef48bfe8a192d63bd2e047badb4d047d159fd5d220b7db40ed127
Instruction Fuzzy Hash: A2A24875E01219CFCB28CF58C4807ADBBB1FF49314F2581AAE85AAB390D7749E85DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D712 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B2C2E2,?,?,00000000,?), ref: 00B1D73F
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B2C2E2,?,?,00000000,?), ref: 00B1D751

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1c0d399b7e0627bc4901993d2a8d4557f0f4ae314de3c0490a2b1c1017700680
Instruction ID: ac7045cb7923675aeb05531f4625ff9af8107dc7e7855551d538fed9e680e5d7
Opcode Fuzzy Hash: 1c0d399b7e0627bc4901993d2a8d4557f0f4ae314de3c0490a2b1c1017700680
Instruction Fuzzy Hash: 29F0823510032DABDB21AFA4CC49FEA77ADAF49361F008195B909D6191D7309940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B8B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B0B9EC), ref: 00B0B8C5
CloseHandle.KERNEL32(?,?,00B0B9EC), ref: 00B0B8D7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d9dac0ad9fa4ed183e57b201d695fddf2dd8d06322839efd2a65129fc972cad9
Instruction ID: 0460a0b005ced48ef3d79414bc785689365894f29cd9c0abdacaf8b9b1d84703
Opcode Fuzzy Hash: d9dac0ad9fa4ed183e57b201d695fddf2dd8d06322839efd2a65129fc972cad9
Instruction Fuzzy Hash: 17E08C32000601AFE7222BA0EC08E737BEEEF04311B10CA69F59681470CB32ACD0DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0113E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086c3a709037033fda3256d0f4364ca721411e5a22ecb7511239f0ea6d79472
Instruction ID: fda0b1fbe814d75c8146db9eb03dfd5bcfccb9d6884d2146a99a974b82949105
Opcode Fuzzy Hash: 8086c3a709037033fda3256d0f4364ca721411e5a22ecb7511239f0ea6d79472
Instruction Fuzzy Hash: 61B10220D2AF414DD72396398831336BA9CAFBB2C5F91D71BFC1A75DA2EB2581934180

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D095 Relevance: 49.8, APIs: 33, Instructions: 260
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00B3D095(intOrPtr _a4, struct HWND__** _a8) {
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				struct HBRUSH__* _v68;
				int _v72;
				void* _v76;
				WCHAR* _v80;
				WCHAR* _v84;
				int _v92;
				int _v96;
				void* _v100;
				void* __ebx;
				void* __edi;
				signed int _t87;
				long _t90;
				long _t92;
				void* _t94;
				void* _t102;
				signed int _t103;
				WCHAR* _t107;
				int _t118;
				struct HDC__* _t145;
				int _t150;
				signed int _t157;
				struct HWND__** _t160;
				intOrPtr _t168;
				int _t171;
				struct HWND__** _t172;
				int _t173;
				void* _t176;
				void* _t178;

				if( *0xb910ec == 0) {
					_t168 = _a4;
					_t87 =  *(_t168 + 0x10);
					_t145 =  *(_t168 + 0x18);
					_v48.left = _t87 & 0x00000010;
					_t150 = _t87 & 0x00000006;
					_v48.right = _t87 & 0x00000001;
					_v32 = _t150;
					__eflags = _t150;
					if(_t150 == 0) {
						_t160 = _a8;
						__eflags =  *((intOrPtr*)(_t160 + 0x4c)) - 0xffffffff;
						if( *((intOrPtr*)(_t160 + 0x4c)) != 0xffffffff) {
							_push( *((intOrPtr*)(_t160 + 0x4c)));
						} else {
							_push(GetSysColor(0x12));
						}
						_t90 = SetTextColor(_t145, ??);
					} else {
						_t90 = SetTextColor(_t145, GetSysColor(0xe));
						_t160 = _a8;
					}
					__eflags =  *(_t160 + 0x48) - 0xffffffff;
					_v48.top = _t90;
					if( *(_t160 + 0x48) != 0xffffffff) {
						_v68 = CreateSolidBrush( *(_t160 + 0x48));
						_t92 =  *(_t160 + 0x48);
					} else {
						_v64.left = GetSysColorBrush(0xf);
						_t92 = GetSysColor(0xf);
					}
					_v48.top = SetBkColor(_t145, _t92);
					_t94 = SelectObject(_t145, _v76);
					__eflags = _v68;
					_v64.right = _t94;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v72 = _t168 + 0x1c;
					asm("movsd");
					if(_v68 == 0) {
						__eflags = _v76;
						if(_v76 != 0) {
							InflateRect( &_v48, 0xffffffff, 0xffffffff);
						}
						DrawFrameControl(_t145,  &_v48, 4, 0x10);
					} else {
						InflateRect( &_v48, 0xffffffff, 0xffffffff);
						_t178 = CreateSolidBrush(GetSysColor(0x10));
						FrameRect(_t145,  &(_v64.bottom), _t178);
						DeleteObject(_t178);
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t171 = _v68;
					_t98 =  &_v48;
					__eflags = _t171;
					if(_t171 == 0) {
						__eflags = _v76;
						if(_v76 == 0) {
							_push(0xfffffffe);
							_push(0xfffffffe);
						} else {
							_push(0xfffffffd);
							_push(0xfffffffd);
						}
						InflateRect(_t98, ??, ??);
						_v48.left = _v48.left - 1;
						_t38 =  &(_v48.top);
						 *_t38 = _v48.top - 1;
						__eflags =  *_t38;
					} else {
						InflateRect( &_v48, 0xfffffffe, 0xfffffffe);
					}
					FillRect(_t145,  &_v48, _v84);
					_t102 = 2;
					__eflags = _t171;
					if(_t171 != 0) {
						L24:
						_v64.top.left = _v64.top.left + _t102;
						_t45 =  &(_v64.right);
						 *_t45 = _v64.right + _t102;
						__eflags =  *_t45;
					} else {
						__eflags = _v72 - _t171;
						if(_v72 != _t171) {
							goto L24;
						}
					}
					_t172 = _a8;
					_t163 = 0x104;
					_v92 = 0x104;
					_t103 = GetWindowLongW( *_t172, 0xfffffff0);
					__eflags = _t103 & 0x00002000;
					if((_t103 & 0x00002000) == 0) {
						_t163 = 0x124;
						__eflags = 0x104;
						_v92 = 0x104;
					}
					__eflags = _t103 & 0x00000100;
					if(__eflags == 0) {
						_t163 = _t163 | 0x00000001;
						__eflags = _t163;
						_v92 = _t163;
					}
					_t55 = SendMessageW( *_t172, 0xe, 0, 0) + 1; // 0x1
					_t173 = _t55;
					_t157 = 2;
					_t107 = E00AF010A(_t145,  ~(0 | __eflags > 0x00000000) | _t173 * _t157, _t163, __eflags,  ~(0 | __eflags > 0x00000000) | _t173 * _t157);
					_v80 = _t107;
					GetWindowTextW( *_a8, _t107, _t173);
					DrawTextW(_t145, _v80, 0xffffffff,  &(_v64.top), _t163);
					__eflags = _v72;
					if(_v72 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v64.right = _v64.right + 1;
						_t71 =  &(_v64.bottom);
						 *_t71 = _v64.bottom.left + 1;
						__eflags =  *_t71;
						SetTextColor(_t145, GetSysColor(0x11));
						DrawTextW(_t145, _v84, 0xffffffff,  &_v64, _v96);
					}
					__eflags = _v84;
					if(_v84 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t176 = CreateSolidBrush(0);
						FrameRect(_t145,  &(_v64.top), _t176);
						DeleteObject(_t176);
						InflateRect( &_v64, 0xfffffffc, 0xfffffffc);
						DrawFocusRect(_t145,  &_v64);
					}
					L00AF017E(_v76);
					SelectObject(_t145, _v64);
					DeleteObject(_v100);
					SetTextColor(_t145, _v84);
					SetBkColor(_t145, _v80);
					_t118 = 1;
					__eflags = 1;
				} else {
					_t118 = E00B3D385(_a4, _a8);
				}
				return _t118;
			}

0x00b3d0a8
0x00b3d0ba
0x00b3d0bd
0x00b3d0c0
0x00b3d0c8
0x00b3d0d1
0x00b3d0d4
0x00b3d0dd
0x00b3d0e1
0x00b3d0e3
0x00b3d0f6
0x00b3d0f9
0x00b3d0fd
0x00b3d106
0x00b3d0ff
0x00b3d103
0x00b3d103
0x00b3d10a
0x00b3d0e5
0x00b3d0eb
0x00b3d0f1
0x00b3d0f1
0x00b3d110
0x00b3d114
0x00b3d118
0x00b3d139
0x00b3d13d
0x00b3d11a
0x00b3d124
0x00b3d128
0x00b3d128
0x00b3d14c
0x00b3d151
0x00b3d157
0x00b3d15c
0x00b3d169
0x00b3d16a
0x00b3d16b
0x00b3d16c
0x00b3d170
0x00b3d171
0x00b3d1a9
0x00b3d1ae
0x00b3d1b9
0x00b3d1b9
0x00b3d1c9
0x00b3d173
0x00b3d17c
0x00b3d191
0x00b3d19a
0x00b3d1a1
0x00b3d1a1
0x00b3d1d7
0x00b3d1d8
0x00b3d1d9
0x00b3d1da
0x00b3d1db
0x00b3d1df
0x00b3d1e3
0x00b3d1e5
0x00b3d1f4
0x00b3d1f9
0x00b3d201
0x00b3d203
0x00b3d1fb
0x00b3d1fb
0x00b3d1fd
0x00b3d1fd
0x00b3d206
0x00b3d20c
0x00b3d210
0x00b3d210
0x00b3d210
0x00b3d1e7
0x00b3d1ec
0x00b3d1ec
0x00b3d21e
0x00b3d226
0x00b3d227
0x00b3d229
0x00b3d231
0x00b3d231
0x00b3d235
0x00b3d235
0x00b3d235
0x00b3d22b
0x00b3d22b
0x00b3d22f
0x00000000
0x00000000
0x00b3d22f
0x00b3d239
0x00b3d240
0x00b3d245
0x00b3d249
0x00b3d24f
0x00b3d254
0x00b3d256
0x00b3d256
0x00b3d259
0x00b3d259
0x00b3d25d
0x00b3d262
0x00b3d264
0x00b3d264
0x00b3d267
0x00b3d267
0x00b3d279
0x00b3d279
0x00b3d280
0x00b3d28d
0x00b3d295
0x00b3d29e
0x00b3d2b1
0x00b3d2b7
0x00b3d2bc
0x00b3d2c6
0x00b3d2c7
0x00b3d2c8
0x00b3d2c9
0x00b3d2ca
0x00b3d2ce
0x00b3d2ce
0x00b3d2ce
0x00b3d2dc
0x00b3d2f2
0x00b3d2f2
0x00b3d2f8
0x00b3d2fd
0x00b3d307
0x00b3d308
0x00b3d309
0x00b3d30c
0x00b3d313
0x00b3d31c
0x00b3d323
0x00b3d332
0x00b3d33e
0x00b3d33e
0x00b3d348
0x00b3d353
0x00b3d35d
0x00b3d368
0x00b3d373
0x00b3d37b
0x00b3d37b
0x00b3d0aa
0x00b3d0b0
0x00b3d0b0
0x00b3d382

APIs

SetTextColor.GDI32(?,00000000), ref: 00B3D0EB
GetSysColorBrush.USER32(0000000F), ref: 00B3D11C
GetSysColor.USER32(0000000F), ref: 00B3D128
SetBkColor.GDI32(?,000000FF), ref: 00B3D142
SelectObject.GDI32(?,00000000), ref: 00B3D151
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D17C
GetSysColor.USER32(00000010), ref: 00B3D184
CreateSolidBrush.GDI32(00000000), ref: 00B3D18B
FrameRect.USER32 ref: 00B3D19A
DeleteObject.GDI32(00000000), ref: 00B3D1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 00B3D1EC
FillRect.USER32 ref: 00B3D21E
GetWindowLongW.USER32(?,000000F0), ref: 00B3D249

Part of subcall function 00B3D385: GetSysColor.USER32(00000012), ref: 00B3D3BE
Part of subcall function 00B3D385: SetTextColor.GDI32(?,?), ref: 00B3D3C2
Part of subcall function 00B3D385: GetSysColorBrush.USER32(0000000F), ref: 00B3D3D8
Part of subcall function 00B3D385: GetSysColor.USER32(0000000F), ref: 00B3D3E3
Part of subcall function 00B3D385: GetSysColor.USER32(00000011), ref: 00B3D400
Part of subcall function 00B3D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3D40E
Part of subcall function 00B3D385: SelectObject.GDI32(?,00000000), ref: 00B3D41F
Part of subcall function 00B3D385: SetBkColor.GDI32(?,00000000), ref: 00B3D428
Part of subcall function 00B3D385: SelectObject.GDI32(?,?), ref: 00B3D435
Part of subcall function 00B3D385: InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D454
Part of subcall function 00B3D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3D46B
Part of subcall function 00B3D385: GetWindowLongW.USER32(00000000,000000F0), ref: 00B3D480
Part of subcall function 00B3D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3D4A8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: aa8e6237ddf14304cd9cf7ee7efc3cdd1cb043e61efd7f51741567074107ed36
Instruction ID: ad164354fe051ac95d2dde529c5d0153820cba924fe1ad06ed2357691f592e71
Opcode Fuzzy Hash: aa8e6237ddf14304cd9cf7ee7efc3cdd1cb043e61efd7f51741567074107ed36
Instruction Fuzzy Hash: 91915C71408701AFD7219F64EC48F5BBBE9FB89322F200B59F962A71A0DB71D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AD48C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00AD48C8(void* __ecx, int _a4) {
				struct HWND__* _v32;
				char _v48;
				void* _v52;
				int _v68;
				void* _v76;
				struct HWND__** _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				struct HWND__** _v96;
				signed char _v97;
				struct HWND__* _v100;
				char _t196;
				signed char _t201;
				signed int _t202;
				int _t212;
				struct HMENU__* _t213;
				struct HMENU__* _t215;
				struct HWND__* _t222;
				struct HWND__* _t225;
				struct HMENU__* _t232;
				intOrPtr _t238;
				struct HWND__* _t240;
				signed int _t241;
				struct HWND__* _t247;
				signed int _t253;
				struct HWND__* _t263;
				signed int _t266;
				struct HWND__* _t267;
				struct HWND__* _t277;
				int _t279;
				void* _t282;
				void* _t290;
				int _t292;
				void* _t295;
				struct HWND__* _t296;
				void* _t308;
				void* _t314;
				struct HWND__** _t318;
				struct HWND__* _t321;
				struct HWND__* _t323;
				struct HWND__* _t325;
				void* _t330;
				struct HWND__* _t331;
				struct HWND__* _t333;
				signed int _t334;
				intOrPtr _t335;
				struct HWND__** _t337;
				intOrPtr _t341;
				signed int _t342;
				struct HWND__* _t343;
				intOrPtr _t344;
				struct HWND__* _t345;
				struct HWND__* _t346;
				struct HWND__** _t349;
				signed int _t350;
				int _t352;
				struct HWND__** _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				intOrPtr* _t359;
				signed int _t360;
				signed int _t362;

				_t352 = _a4;
				_t314 = __ecx;
				if(L00ADCF2C(__ecx, _t352,  &_v88,  &_v84) == 0) {
					L21:
					_t196 = 0;
					L15:
					return _t196;
				}
				_t4 = _t314 + 0x60; // 0x0
				_t6 = _t314 + 0x74; // 0xeee1e8
				_t341 =  *_t6;
				_v92 = _v92 | 0xffffffff;
				_t318 =  *((intOrPtr*)( *((intOrPtr*)( *_t4 + _v88 * 4))));
				_v96 = _t318;
				_t349 =  *( *(_t341 + _v84 * 4));
				_v80 = _t349;
				_t201 = _t349[0x24];
				_v97 = _t201;
				_t202 = _t201 & 0x000000ff;
				if(_t202 <= 0x11) {
					if(__eflags == 0) {
						SendMessageW(_t349[0xd], 0x1101, 0, _t349[4]);
						L8:
						_t354 = _v96;
						L9:
						if(_t349[0x11] != 0) {
							DeleteObject(_t349[0x11]);
						}
						if(_t349[0x19] != 0) {
							DeleteObject(_t349[0x19]);
						}
						if(_t349[0x1a] != 0) {
							DestroyIcon(_t349[0x1a]);
						}
						if(_t349[0x14] != 0) {
							DestroyWindow(_t349[0x14]);
						}
						_t208 = _v92;
						if(_v92 == _t354[7]) {
							_t354[7] = _v100;
						}
						L00AD4A54(_t314, _t208);
						_t196 = 1;
						goto L15;
					}
					__eflags = _t202 - 0xc;
					if(__eflags > 0) {
						__eflags = _t202 - 0xe;
						if(_t202 < 0xe) {
							L7:
							DestroyWindow( *_t349);
							goto L8;
						}
						__eflags = _t202 - 0xf;
						if(_t202 <= 0xf) {
							__eflags = _v97 - 0xe;
							if(_v97 != 0xe) {
								L99:
								_t212 = DeleteMenu(_t349[3], _t352, 0);
								__eflags = _t212;
								if(_t212 != 0) {
									_t354 = _v96;
								} else {
									_t354 = _v96;
									DeleteMenu(_t354[0x67], _t352, _t212);
								}
								_t213 = _t354[0x67];
								__eflags = _t213;
								if(_t213 != 0) {
									_t215 = GetMenuItemCount(_t213);
									__eflags = _t215;
									if(_t215 == 0) {
										SetMenu( *_t354, _t215);
										DestroyMenu(_t354[0x67]);
										_t151 =  &(_t354[0x67]);
										 *_t151 = _t354[0x67] & 0x00000000;
										__eflags =  *_t151;
									}
								}
								DrawMenuBar( *_t354);
								goto L9;
							}
							_v52 = 0x30;
							E00AF1970( &_v48, 0, 0x2c);
							_v48 = 4;
							_t222 = GetMenuItemInfoW(_t349[3], _t352, 0,  &_v52);
							__eflags = _t222;
							if(_t222 == 0) {
								goto L99;
							}
							_t321 = _v32;
							_v80 = _t321;
							__eflags = _t321;
							if(_t321 == 0) {
								goto L99;
							}
							_t355 = 3;
							__eflags =  *(_t314 + 0x84) - _t355;
							if( *(_t314 + 0x84) < _t355) {
								L98:
								_t352 = _a4;
								goto L99;
							} else {
								goto L93;
							}
							do {
								L93:
								_t137 = _t314 + 0x74; // 0xeee1e8
								_t225 =  *( *( *_t137 + _t355 * 4));
								__eflags = _t225;
								if(_t225 != 0) {
									__eflags =  *((intOrPtr*)(_t225 + 0xc)) - _t321;
									if( *((intOrPtr*)(_t225 + 0xc)) == _t321) {
										__eflags =  *((char*)(_t225 + 0x90)) - 0xf;
										if( *((char*)(_t225 + 0x90)) == 0xf) {
											L00AD4A54(_t314, _t355);
											_t321 = _v84;
										}
									}
								}
								_t355 = _t355 + 1;
								_t143 = _t314 + 0x84; // 0x2
								__eflags = _t355 -  *_t143;
							} while (_t355 <=  *_t143);
							goto L98;
						}
						__eflags = _t202 - 0x10;
						if(_t202 != 0x10) {
							goto L7;
						}
						__eflags = _t349[0x10];
						if(_t349[0x10] != 0) {
							ImageList_Destroy(_t349[0x10]);
						}
						_t356 = 3;
						__eflags =  *(_t314 + 0x84) - _t356;
						if( *(_t314 + 0x84) >= _t356) {
							do {
								_t122 = _t314 + 0x74; // 0xeee1e8
								_t323 =  *( *( *_t122 + _t356 * 4));
								__eflags = _t323;
								if(_t323 != 0) {
									__eflags =  *((intOrPtr*)(_t323 + 0x34)) -  *_t349;
									if( *((intOrPtr*)(_t323 + 0x34)) ==  *_t349) {
										__eflags =  *((char*)(_t323 + 0x90)) - 0x11;
										if( *((char*)(_t323 + 0x90)) == 0x11) {
											L00AD4A54(_t314, _t356);
										}
									}
								}
								_t356 = _t356 + 1;
								_t127 = _t314 + 0x84; // 0x2
								__eflags = _t356 -  *_t127;
							} while (_t356 <=  *_t127);
						}
						goto L7;
					}
					if(__eflags == 0) {
						_t357 = 3;
						__eflags =  *((intOrPtr*)(__ecx + 0x84)) - _t357;
						if( *((intOrPtr*)(__ecx + 0x84)) < _t357) {
							L74:
							_t232 =  *(_t318 + 0x1a0);
							__eflags = _t349[3] - _t232;
							if(_t349[3] != _t232) {
								DestroyMenu(_t349[3]);
								goto L8;
							}
							DestroyMenu(_t232);
							_t354 = _v96;
							_t354[0x68] = _t354[0x68] & 0x00000000;
							goto L9;
						} else {
							goto L66;
						}
						do {
							L66:
							_t103 = _t314 + 0x74; // 0xeee1e8
							_t325 =  *( *( *_t103 + _t357 * 4));
							__eflags = _t325;
							if(_t325 == 0) {
								goto L72;
							}
							__eflags =  *(_t325 + 0xc) - _t349[3];
							if( *(_t325 + 0xc) != _t349[3]) {
								goto L72;
							}
							_t238 =  *((intOrPtr*)(_t325 + 0x90));
							__eflags = _t238 - 0xf;
							if(_t238 == 0xf) {
								L71:
								L00AD4A54(_t314, _t357);
								goto L72;
							}
							__eflags = _t238 - 0xe;
							if(_t238 == 0xe) {
								goto L71;
							}
							 *(_t325 + 0xc) =  *(_t325 + 0xc) & 0x00000000;
							L72:
							_t357 = _t357 + 1;
							_t111 = _t314 + 0x84; // 0x2
							__eflags = _t357 -  *_t111;
						} while (_t357 <=  *_t111);
						_t318 = _v96;
						goto L74;
					}
					__eflags = _t202 - 2;
					if(_t202 < 2) {
						goto L7;
					}
					_t358 = 3;
					__eflags = _t202 - _t358;
					if(_t202 <= _t358) {
						_t240 =  *(_t318 + 0x1c4);
						__eflags = _t240;
						if(_t240 > 0) {
							__eflags = _a4 - _t240;
							if(_a4 == _t240) {
								 *(_t318 + 0x1c4) =  *(_t318 + 0x1c4) & 0x00000000;
							}
						}
						goto L7;
					}
					__eflags = _t202 - 0xa;
					if(_t202 == 0xa) {
						_t83 = _t314 + 0x84; // 0x2
						_t241 =  *_t83;
						__eflags = _t241 - _t358;
						if(_t241 < _t358) {
							L60:
							_t342 = _v92;
							 *(_t318 + 0x188) = 0;
							 *((intOrPtr*)(_t318 + 0x18c)) = _t342;
							 *((intOrPtr*)(_t318 + 0x190)) = _t342;
							 *((intOrPtr*)(_t318 + 0x194)) = 0;
							 *((char*)(_t318 + 0x198)) = 0;
							DestroyWindow( *_t349);
							__eflags = _t349[0x10];
							if(_t349[0x10] != 0) {
								ImageList_Destroy(_t349[0x10]);
							}
							goto L8;
						}
						_t350 = _t241;
						do {
							_t84 = _t314 + 0x74; // 0xeee1e8
							_t247 =  *( *( *_t84 + _t350 * 4));
							__eflags = _t247;
							if(_t247 != 0) {
								__eflags =  *((char*)(_t247 + 0x90)) - 0xb;
								if( *((char*)(_t247 + 0x90)) == 0xb) {
									E00AD48C8(_t314, _t350);
								}
							}
							_t350 = _t350 - 1;
							__eflags = _t350 - _t358;
						} while (_t350 >= _t358);
						_t349 = _v80;
						_t318 = _v96;
						goto L60;
					}
					__eflags = _t202 - 0xb;
					if(_t202 != 0xb) {
						goto L7;
					} else {
						_v88 =  *((intOrPtr*)(_t318 + 0x190));
						SendMessageW( *(_t318 + 0x188), 0x1308, _t349[0x24] & 0x000000ff, 0);
						_t253 = E00AEB155(_t314, _v96[0x62]);
						_t37 = _t314 + 0x74; // 0xeee1e8
						_t330 =  *( *((intOrPtr*)( *((intOrPtr*)( *_t37 + _t253 * 4)))) + 0x40);
						__eflags = _t330;
						if(_t330 != 0) {
							_t279 = _t349[0x22] & 0x0000ffff;
							__eflags = _t279 - _v92;
							if(_t279 != _v92) {
								ImageList_Remove(_t330, _t279);
							}
						}
						__eflags =  *(_t314 + 0x84) - _t358;
						if( *(_t314 + 0x84) < _t358) {
							L47:
							_t331 = _v88;
							_t354 = _v96;
							__eflags = (_t349[0x24] & 0x000000ff) - _t331;
							if((_t349[0x24] & 0x000000ff) != _t331) {
								_t354[0x64] = _v92;
								__eflags = _t331 - (_t349[0x24] & 0x000000ff);
								if(_t331 <= (_t349[0x24] & 0x000000ff)) {
									L52:
									_t349[0x24] = 0xff;
									E00B3E1A7(_t314, _t354, _t331);
									_t354[0x63] = _t354[0x63] - 1;
									_t354[0x65] = _t354[0x65] & 0x00000000;
									goto L9;
								}
								L51:
								__eflags = _t331;
								goto L52;
							}
							__eflags = _t331 - _t354[0x63];
							if(_t331 == _t354[0x63]) {
								goto L51;
							} else {
								goto L52;
							}
						} else {
							goto L33;
						}
						do {
							L33:
							_t44 = _t314 + 0x74; // 0xeee1e8
							_t333 =  *( *( *_t44 + _t358 * 4));
							__eflags = _t333;
							if(_t333 == 0) {
								goto L46;
							}
							_t263 =  *(_t333 + 0x93);
							__eflags = _t263 - 0xff;
							if(_t263 == 0xff) {
								goto L46;
							}
							_t343 = _t349[0x24];
							__eflags = _t263 - _t343;
							if(__eflags != 0) {
								L39:
								if(__eflags > 0) {
									_t277 = _t263 - 1;
									__eflags = _t277;
									 *(_t333 + 0x93) = _t277;
								}
								_t51 = _t314 + 0x74; // 0xeee1e8
								_t344 =  *((intOrPtr*)( *((intOrPtr*)( *_t51 + _t358 * 4))));
								__eflags =  *((char*)(_t344 + 0x90)) - 0xb;
								if( *((char*)(_t344 + 0x90)) == 0xb) {
									_t334 = _t349[0x22] & 0x0000ffff;
									__eflags = _t334;
									if(_t334 >= 0) {
										_t266 =  *(_t344 + 0x88) & 0x0000ffff;
										__eflags = _t266;
										if(_t266 >= 0) {
											__eflags = _t266 - _t334;
											if(_t266 > _t334) {
												_t267 = _t266 - 1;
												__eflags = _t267;
												 *(_t344 + 0x88) = _t267;
												_t58 = _t314 + 0x74; // 0xeee1e8
												_t335 =  *_t58;
												_v52 = 2;
												_v32 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t335 + _t358 * 4)))) + 0x88));
												SendMessageW(_v96[0x62], 0x133d,  *( *((intOrPtr*)( *((intOrPtr*)(_t335 + _t358 * 4)))) + 0x93) & 0x000000ff,  &_v52);
											}
										}
									}
								}
								goto L46;
							}
							__eflags =  *((char*)(_t333 + 0x90)) - 0xb;
							if( *((char*)(_t333 + 0x90)) == 0xb) {
								__eflags = _t263 - _t343;
								goto L39;
							} else {
								E00AD48C8(_t314, _t358);
							}
							L46:
							_t358 = _t358 + 1;
							_t70 = _t314 + 0x84; // 0x2
							__eflags = _t358 -  *_t70;
						} while (_t358 <=  *_t70);
						goto L47;
					}
				}
				_t282 = _t202 - 0x13;
				if(_t282 == 0) {
					__eflags = _t349[0xe];
					_t359 = ImageList_Destroy;
					if(_t349[0xe] != 0) {
						ImageList_Destroy(_t349[0xe]);
					}
					__eflags = _t349[0xf];
					if(_t349[0xf] != 0) {
						 *_t359(_t349[0xf]);
					}
					_t360 = 3;
					__eflags =  *(_t314 + 0x84) - _t360;
					if( *(_t314 + 0x84) >= _t360) {
						do {
							_t184 = _t314 + 0x74; // 0xeee1e8
							_t345 =  *( *( *_t184 + _t360 * 4));
							__eflags = _t345;
							if(_t345 != 0) {
								_t337 = _v96;
								__eflags =  *((intOrPtr*)(_t345 + 4)) - _t337[1];
								if( *((intOrPtr*)(_t345 + 4)) == _t337[1]) {
									__eflags =  *((char*)(_t345 + 0x90)) - 0x14;
									if( *((char*)(_t345 + 0x90)) == 0x14) {
										__eflags =  *((intOrPtr*)(_t345 + 0x34)) -  *_t349;
										if( *((intOrPtr*)(_t345 + 0x34)) ==  *_t349) {
											E00AD48C8(_t314, _t360);
										}
									}
								}
							}
							_t360 = _t360 + 1;
							_t192 = _t314 + 0x84; // 0x2
							__eflags = _t360 -  *_t192;
						} while (_t360 <=  *_t192);
					}
					goto L7;
				}
				_t290 = _t282 - 1;
				if(_t290 == 0) {
					_v68 = _t352;
					_v76 = 1;
					_t292 = SendMessageW(_t349[0xd], 0x1053, _v92,  &_v76);
					__eflags = _t292 - _v92;
					if(_t292 == _v92) {
						goto L21;
					}
					SendMessageW(_t349[0xd], 0x1008, _t292, 0);
					goto L8;
				}
				_t295 = _t290;
				if(_t295 == 0) {
					_t362 = 3;
					__eflags =  *((intOrPtr*)(__ecx + 0x84)) - _t362;
					if( *((intOrPtr*)(__ecx + 0x84)) < _t362) {
						goto L7;
					}
					_t156 = _t341 + 0xc; // 0xeee1f4
					_t296 = _t156;
					_v88 = _t296;
					do {
						_t346 =  *(_t296->i);
						__eflags = _t346;
						if(_t346 == 0) {
							goto L116;
						}
						__eflags =  *((intOrPtr*)(_t346 + 4)) -  *((intOrPtr*)(_t318 + 4));
						if( *((intOrPtr*)(_t346 + 4)) !=  *((intOrPtr*)(_t318 + 4))) {
							goto L116;
						}
						__eflags =  *((char*)(_t346 + 0x90)) - 3;
						if( *((char*)(_t346 + 0x90)) != 3) {
							goto L116;
						}
						__eflags = _t346->i - _t349[0xd];
						if(_t346->i != _t349[0xd]) {
							goto L116;
						}
						_t162 = _t314 + 0x74; // 0xeee1e8
						MoveWindow( *( *( *( *_t162 + _t362 * 4))), ( *( *( *_t162 + _t362 * 4)))[0x22], ( *( *( *_t162 + _t362 * 4)))[0x22],  *(_t339 + 0x8c),  *(_t339 + 0x8e), 0);
						goto L7;
						L116:
						_t362 = _t362 + 1;
						_t296 = _v88 + 4;
						_v88 = _t296;
						_t171 = _t314 + 0x84; // 0x2
						__eflags = _t362 -  *_t171;
					} while (_t362 <=  *_t171);
					goto L7;
				}
				_t308 = _t295 - 5;
				if(_t308 != 0) {
					__eflags = _t308 != 0;
					if(_t308 != 0) {
						goto L7;
					}
					L00B3CEFC(__ecx, _t349, _t318);
					goto L8;
				} else {
					E00AD49CA(_t318, _t349);
					goto L7;
				}
			}

0x00ad48d7
0x00ad48e2
0x00ad48eb
0x00b4e118
0x00b4e118
0x00ad498c
0x00ad4992
0x00ad4992
0x00ad48f1
0x00ad48f8
0x00ad48f8
0x00ad48fe
0x00ad4903
0x00ad4909
0x00ad4910
0x00ad4912
0x00ad4916
0x00ad491c
0x00ad4920
0x00ad4926
0x00b4e11f
0x00b4e55d
0x00ad495c
0x00ad495c
0x00ad4960
0x00ad4964
0x00ad4998
0x00ad4998
0x00ad496a
0x00ad49a3
0x00ad49a3
0x00ad4970
0x00ad49ae
0x00ad49ae
0x00ad4976
0x00ad49b9
0x00ad49b9
0x00ad4978
0x00ad497f
0x00ad49c5
0x00ad49c5
0x00ad4984
0x00ad498b
0x00000000
0x00ad498b
0x00b4e125
0x00b4e128
0x00b4e3fd
0x00b4e400
0x00ad4954
0x00ad4956
0x00000000
0x00ad4956
0x00b4e406
0x00b4e409
0x00b4e464
0x00b4e469
0x00b4e4ea
0x00b4e4f0
0x00b4e4f6
0x00b4e4f8
0x00b4e50e
0x00b4e4fa
0x00b4e4fc
0x00b4e506
0x00b4e506
0x00b4e512
0x00b4e518
0x00b4e51a
0x00b4e51d
0x00b4e523
0x00b4e525
0x00b4e52a
0x00b4e536
0x00b4e53c
0x00b4e53c
0x00b4e53c
0x00b4e53c
0x00b4e525
0x00b4e545
0x00000000
0x00b4e545
0x00b4e474
0x00b4e47c
0x00b4e48f
0x00b4e497
0x00b4e49d
0x00b4e49f
0x00000000
0x00000000
0x00b4e4a1
0x00b4e4a5
0x00b4e4a9
0x00b4e4ab
0x00000000
0x00000000
0x00b4e4af
0x00b4e4b0
0x00b4e4b6
0x00b4e4e7
0x00b4e4e7
0x00000000
0x00000000
0x00000000
0x00000000
0x00b4e4b8
0x00b4e4b8
0x00b4e4b8
0x00b4e4be
0x00b4e4c0
0x00b4e4c2
0x00b4e4c4
0x00b4e4c7
0x00b4e4c9
0x00b4e4d0
0x00b4e4d5
0x00b4e4da
0x00b4e4da
0x00b4e4d0
0x00b4e4c7
0x00b4e4de
0x00b4e4df
0x00b4e4df
0x00b4e4df
0x00000000
0x00b4e4b8
0x00b4e40b
0x00b4e40e
0x00000000
0x00000000
0x00b4e414
0x00b4e418
0x00b4e41d
0x00b4e41d
0x00b4e425
0x00b4e426
0x00b4e42c
0x00b4e432
0x00b4e432
0x00b4e438
0x00b4e43a
0x00b4e43c
0x00b4e441
0x00b4e443
0x00b4e445
0x00b4e44c
0x00b4e451
0x00b4e451
0x00b4e44c
0x00b4e443
0x00b4e456
0x00b4e457
0x00b4e457
0x00b4e457
0x00b4e45f
0x00000000
0x00b4e42c
0x00b4e12e
0x00b4e387
0x00b4e388
0x00b4e38e
0x00b4e3cd
0x00b4e3cd
0x00b4e3d3
0x00b4e3d6
0x00b4e3f2
0x00000000
0x00b4e3f2
0x00b4e3d9
0x00b4e3df
0x00b4e3e3
0x00000000
0x00000000
0x00000000
0x00000000
0x00b4e390
0x00b4e390
0x00b4e390
0x00b4e396
0x00b4e398
0x00b4e39a
0x00000000
0x00000000
0x00b4e39f
0x00b4e3a2
0x00000000
0x00000000
0x00b4e3a4
0x00b4e3aa
0x00b4e3ac
0x00b4e3b8
0x00b4e3bb
0x00000000
0x00b4e3bb
0x00b4e3ae
0x00b4e3b0
0x00000000
0x00000000
0x00b4e3b2
0x00b4e3c0
0x00b4e3c0
0x00b4e3c1
0x00b4e3c1
0x00b4e3c1
0x00b4e3c9
0x00000000
0x00b4e3c9
0x00b4e134
0x00b4e137
0x00000000
0x00000000
0x00b4e13f
0x00b4e140
0x00b4e142
0x00b4e362
0x00b4e368
0x00b4e36a
0x00b4e370
0x00b4e373
0x00b4e379
0x00b4e379
0x00b4e373
0x00000000
0x00b4e36a
0x00b4e148
0x00b4e14b
0x00b4e2e8
0x00b4e2e8
0x00b4e2ee
0x00b4e2f0
0x00b4e31e
0x00b4e31e
0x00b4e324
0x00b4e32a
0x00b4e330
0x00b4e336
0x00b4e33c
0x00b4e344
0x00b4e34a
0x00b4e34e
0x00b4e357
0x00b4e357
0x00000000
0x00b4e34e
0x00b4e2f2
0x00b4e2f4
0x00b4e2f4
0x00b4e2fa
0x00b4e2fc
0x00b4e2fe
0x00b4e300
0x00b4e307
0x00b4e30c
0x00b4e30c
0x00b4e307
0x00b4e311
0x00b4e312
0x00b4e312
0x00b4e316
0x00b4e31a
0x00000000
0x00b4e31a
0x00b4e151
0x00b4e154
0x00000000
0x00b4e15a
0x00b4e160
0x00b4e179
0x00b4e18b
0x00b4e192
0x00b4e19a
0x00b4e19d
0x00b4e19f
0x00b4e1a1
0x00b4e1a8
0x00b4e1ad
0x00b4e1b2
0x00b4e1b2
0x00b4e1ad
0x00b4e1b8
0x00b4e1be
0x00b4e293
0x00b4e29a
0x00b4e29e
0x00b4e2a2
0x00b4e2a4
0x00b4e2b4
0x00b4e2c1
0x00b4e2c3
0x00b4e2c6
0x00b4e2ca
0x00b4e2d1
0x00b4e2d6
0x00b4e2dc
0x00000000
0x00b4e2dc
0x00b4e2c5
0x00b4e2c5
0x00000000
0x00b4e2c5
0x00b4e2a6
0x00b4e2ac
0x00000000
0x00b4e2ae
0x00000000
0x00b4e2ae
0x00000000
0x00000000
0x00000000
0x00b4e1c4
0x00b4e1c4
0x00b4e1c4
0x00b4e1ca
0x00b4e1cc
0x00b4e1ce
0x00000000
0x00000000
0x00b4e1d4
0x00b4e1da
0x00b4e1dc
0x00000000
0x00000000
0x00b4e1e2
0x00b4e1e8
0x00b4e1ea
0x00b4e204
0x00b4e204
0x00b4e206
0x00b4e206
0x00b4e208
0x00b4e208
0x00b4e20e
0x00b4e214
0x00b4e216
0x00b4e21d
0x00b4e21f
0x00b4e226
0x00b4e229
0x00b4e22b
0x00b4e232
0x00b4e235
0x00b4e237
0x00b4e23a
0x00b4e23c
0x00b4e23c
0x00b4e23d
0x00b4e244
0x00b4e244
0x00b4e247
0x00b4e25b
0x00b4e280
0x00b4e280
0x00b4e23a
0x00b4e235
0x00b4e229
0x00000000
0x00b4e21d
0x00b4e1ec
0x00b4e1f3
0x00b4e202
0x00000000
0x00b4e1f5
0x00b4e1f8
0x00b4e1f8
0x00b4e286
0x00b4e286
0x00b4e287
0x00b4e287
0x00b4e287
0x00000000
0x00b4e1c4
0x00b4e154
0x00ad492c
0x00ad492f
0x00b4e645
0x00b4e649
0x00b4e64f
0x00b4e654
0x00b4e654
0x00b4e656
0x00b4e65a
0x00b4e65f
0x00b4e65f
0x00b4e663
0x00b4e664
0x00b4e66a
0x00b4e670
0x00b4e670
0x00b4e676
0x00b4e678
0x00b4e67a
0x00b4e67c
0x00b4e683
0x00b4e686
0x00b4e688
0x00b4e68f
0x00b4e694
0x00b4e696
0x00b4e69b
0x00b4e69b
0x00b4e696
0x00b4e68f
0x00b4e686
0x00b4e6a0
0x00b4e6a1
0x00b4e6a1
0x00b4e6a1
0x00b4e6a9
0x00000000
0x00b4e66a
0x00ad4935
0x00ad4936
0x00b4e60d
0x00b4e61f
0x00b4e627
0x00b4e629
0x00b4e62d
0x00000000
0x00000000
0x00b4e63e
0x00000000
0x00b4e63e
0x00ad493d
0x00ad493e
0x00b4e580
0x00b4e581
0x00b4e587
0x00000000
0x00000000
0x00b4e58d
0x00b4e58d
0x00b4e590
0x00b4e594
0x00b4e596
0x00b4e598
0x00b4e59a
0x00000000
0x00000000
0x00b4e59f
0x00b4e5a2
0x00000000
0x00000000
0x00b4e5a4
0x00b4e5ab
0x00000000
0x00000000
0x00b4e5af
0x00b4e5b2
0x00000000
0x00000000
0x00b4e5b4
0x00b4e5e0
0x00000000
0x00b4e5eb
0x00b4e5ef
0x00b4e5f0
0x00b4e5f3
0x00b4e5f7
0x00b4e5f7
0x00b4e5f7
0x00000000
0x00b4e5ff
0x00ad4944
0x00ad4947
0x00b4e569
0x00b4e56a
0x00000000
0x00000000
0x00b4e574
0x00000000
0x00ad494d
0x00ad494f
0x00000000
0x00ad494f

APIs

DestroyWindow.USER32 ref: 00AD4956
DeleteObject.GDI32(00000000), ref: 00AD4998
DeleteObject.GDI32(00000000), ref: 00AD49A3
DestroyIcon.USER32(00000000), ref: 00AD49AE
DestroyWindow.USER32(00000000), ref: 00AD49B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B4E179
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B4E1B2
MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 00B4E5E0

Part of subcall function 00AD49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AD4954,00000000), ref: 00AD4A23

SendMessageW.USER32 ref: 00B4E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B4E63E
ImageList_Destroy.COMCTL32(00000000), ref: 00B4E654
ImageList_Destroy.COMCTL32(00000000), ref: 00B4E65F

Strings

0, xrefs: 00B4E474

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 1bd4b7775636679e301767fb10ab85c9821e562ae79769faf48e1e0fd600c46e
Instruction ID: b8ea0386c3c594f168329ae8a86bab9b31909a2aea10474f63bbe05f4f50b13f
Opcode Fuzzy Hash: 1bd4b7775636679e301767fb10ab85c9821e562ae79769faf48e1e0fd600c46e
Instruction Fuzzy Hash: 67129130600201DFDB21CF14C994BAAB7E5FF09305F1445AAF5AADB262C731EE46EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E45E
GetDriveTypeW.KERNEL32(?,00B6DC88,?,\\.\,00B6DBF0), ref: 00B1E54B
SetErrorMode.KERNEL32(00000000,00B6DC88,?,\\.\,00B6DBF0), ref: 00B1E6B1

Strings

FileBackedVirtual, xrefs: 00B1E67D
RAID, xrefs: 00B1E64C
Network, xrefs: 00B1E589
Removable, xrefs: 00B1E59D
PhysicalDrive, xrefs: 00B1E4EF
1394, xrefs: 00B1E630
Fibre, xrefs: 00B1E63E
SSA, xrefs: 00B1E637
MMC, xrefs: 00B1E66F
Unknown, xrefs: 00B1E56B, 00B1E614
RAMDisk, xrefs: 00B1E575
Virtual, xrefs: 00B1E676
SCSI, xrefs: 00B1E61B
Fixed, xrefs: 00B1E593
iSCSI, xrefs: 00B1E653
USB, xrefs: 00B1E645
ATA, xrefs: 00B1E629
\\.\, xrefs: 00B1E4B3
ATAPI, xrefs: 00B1E622
SATA, xrefs: 00B1E661
SAS, xrefs: 00B1E65A
SSD, xrefs: 00B1E5D8
CDROM, xrefs: 00B1E57F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2e6163e3adf65ad62ff34f95b6437f6f0a9edab45d2bb69c36deac8d487bec38
Instruction ID: b848c57d9d609282ddfd7ab4e0a1fe17d7b2e509dbe0f25fc60957b661f6b8e8
Opcode Fuzzy Hash: 2e6163e3adf65ad62ff34f95b6437f6f0a9edab45d2bb69c36deac8d487bec38
Instruction Fuzzy Hash: 0551C830244301EBC210EB14C991DA9B7E1FB64F54BE049DAFC66A72B1DB60DEC5DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C4F9 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00B3C598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B3C64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B3C669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00B3C925

Strings

0, xrefs: 00B3C6AC
, xrefs: 00B3C543, 00B3C977, 00B3C9BD

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$
API String ID: 2326795674-1074706181
Opcode ID: fdd54503ad2d5e4cb07c1e8e744fb07a0966d0c6412dfe15294be23f94f274eb
Instruction ID: 07de3b83da140106dea15147fab214c2328e21936b0e1fe7bea44630d80afda1
Opcode Fuzzy Hash: fdd54503ad2d5e4cb07c1e8e744fb07a0966d0c6412dfe15294be23f94f274eb
Instruction Fuzzy Hash: E4F1E171204301AFE7218F64CC85BAABFE4FF49354F280AA9F588E72A1C770D945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00ADC714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ADC741
__wcsnicmp.LIBCMT ref: 00ADC759
__wcsnicmp.LIBCMT ref: 00ADC771
__wcsnicmp.LIBCMT ref: 00ADC789
__wcsnicmp.LIBCMT ref: 00ADC7A1
__wcsnicmp.LIBCMT ref: 00ADC7B5
__wcsnicmp.LIBCMT ref: 00ADC7C9
__wcsnicmp.LIBCMT ref: 00ADC7E1
__wcsnicmp.LIBCMT ref: 00ADC8B2
__wcsnicmp.LIBCMT ref: 00ADC8C6
__wcsnicmp.LIBCMT ref: 00ADC8DA
__wcsnicmp.LIBCMT ref: 00ADC8EE

Strings

Cannot parse #include, xrefs: 00B43482
#cs, xrefs: 00ADC7DB, 00ADC8C0
Bad directive syntax error, xrefs: 00B4346D
#pragma compile, xrefs: 00ADC73B
#comments-start, xrefs: 00ADC7C3, 00ADC8AC
#include, xrefs: 00ADC7AF
#requireadmin, xrefs: 00ADC76B
Unterminated group of comments, xrefs: 00B43475
#notrayicon, xrefs: 00ADC753
#OnAutoItStartRegister, xrefs: 00ADC783
#ce, xrefs: 00ADC8E8
#comments-end, xrefs: 00ADC8D4
#include-once, xrefs: 00ADC79B

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d556dd4511263612a69836391e78c4270b90cf5d3720ae8207a94cb2557dcd01
Instruction ID: 4e485ba991ddb17e5ff0adce4db71540c24c8d9f35be5de1dabd8fc7d1a76622
Opcode Fuzzy Hash: d556dd4511263612a69836391e78c4270b90cf5d3720ae8207a94cb2557dcd01
Instruction Fuzzy Hash: 3761473170031777DB21ABA49D92FBA33E8AF15750F540066FD43A6292EBA4CB01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B4D4 Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 400windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B3B5C0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B3B5D1
CharNextW.USER32(0000014E), ref: 00B3B600
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B3B641
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B3B657
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B3B668
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B3B685
SetWindowTextW.USER32(?,0000014E), ref: 00B3B6D7
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B3B6ED
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B3B71E
_memset.LIBCMT ref: 00B3B743
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B3B78C
_memset.LIBCMT ref: 00B3B7EB
SendMessageW.USER32 ref: 00B3B815
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B3B86D
SendMessageW.USER32(?,0000133D,?,?), ref: 00B3B91A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B3B93C
GetMenuItemInfoW.USER32(?), ref: 00B3B986
SetMenuItemInfoW.USER32 ref: 00B3B9B3
DrawMenuBar.USER32(?), ref: 00B3B9C2
SetWindowTextW.USER32(?,0000014E), ref: 00B3B9EA

Strings

0, xrefs: 00B3B95F
, xrefs: 00B3B522

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$
API String ID: 1073566785-1074706181
Opcode ID: 8bf5ff1d226d70cbe6e240aaa63f479dfc48875f4c59964681f1d56a5de39195
Instruction ID: 2af154f18ee4cce4a552d130c0d8c647d1ffba41185ef2762c40b7908d371513
Opcode Fuzzy Hash: 8bf5ff1d226d70cbe6e240aaa63f479dfc48875f4c59964681f1d56a5de39195
Instruction Fuzzy Hash: C5E16E71900218ABDF219F54CC85EEE7BF8FF05754F208296FA19AB195DB708A41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D385 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B3D3BE
SetTextColor.GDI32(?,?), ref: 00B3D3C2
GetSysColorBrush.USER32(0000000F), ref: 00B3D3D8
GetSysColor.USER32(0000000F), ref: 00B3D3E3
CreateSolidBrush.GDI32(?), ref: 00B3D3E8
GetSysColor.USER32(00000011), ref: 00B3D400
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3D40E
SelectObject.GDI32(?,00000000), ref: 00B3D41F
SetBkColor.GDI32(?,00000000), ref: 00B3D428
SelectObject.GDI32(?,?), ref: 00B3D435
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D454
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3D46B
GetWindowLongW.USER32(00000000,000000F0), ref: 00B3D480
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3D4A8
GetWindowTextW.USER32 ref: 00B3D4CF
InflateRect.USER32(?,000000FD,000000FD), ref: 00B3D4ED
DrawFocusRect.USER32 ref: 00B3D4F8
GetSysColor.USER32(00000011), ref: 00B3D506
SetTextColor.GDI32(?,00000000), ref: 00B3D50E
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B3D522
SelectObject.GDI32(?,00B3D0B5), ref: 00B3D539
DeleteObject.GDI32(?), ref: 00B3D544
SelectObject.GDI32(?,?), ref: 00B3D54A
DeleteObject.GDI32(?), ref: 00B3D54F
SetTextColor.GDI32(?,?), ref: 00B3D555
SetBkColor.GDI32(?,?), ref: 00B3D55F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 05f3007385a8566a1164b0a38725eebfc1f1a4c96912f1733e315d4609265dd2
Instruction ID: 03ceb5c1dbc8b7fb72e8be10a0b7689ddd2bf46762028c884d837c3e2ddae1a0
Opcode Fuzzy Hash: 05f3007385a8566a1164b0a38725eebfc1f1a4c96912f1733e315d4609265dd2
Instruction Fuzzy Hash: F4512D71900208AFDF119FA4DC48FAEBBB9FB08321F214655F915AB2A1DB759940DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B176DB Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B176ED
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B17713
_wcscpy.LIBCMT ref: 00B17741
_wcscmp.LIBCMT ref: 00B1774C
_wcscat.LIBCMT ref: 00B17762
_wcsstr.LIBCMT ref: 00B1776D
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B17789
_wcscat.LIBCMT ref: 00B177D2
_wcscat.LIBCMT ref: 00B177D9
_wcsncpy.LIBCMT ref: 00B17804

Strings

04090000, xrefs: 00B177BF
\VarFileInfo\Translation, xrefs: 00B17781
%u.%u.%u.%u, xrefs: 00B17867
DefaultLangCodepage, xrefs: 00B177EC
StringFileInfo\, xrefs: 00B1775C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: c1515f94b72831e572233785058edd776002c001012519b611b829df6f3470aa
Instruction ID: e530d9203d9acd1aa376a3c7a7321037a95bf46993dbdd9ebcb155161d17bdff
Opcode Fuzzy Hash: c1515f94b72831e572233785058edd776002c001012519b611b829df6f3470aa
Instruction Fuzzy Hash: 4D41B371A44208BAD701B7A48D87EFF7BECDF55710F500195F601A71A2EB649E41C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AEA839
GetSystemMetrics.USER32 ref: 00AEA841
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AEA86C
GetSystemMetrics.USER32 ref: 00AEA874
GetSystemMetrics.USER32 ref: 00AEA899
SetRect.USER32 ref: 00AEA8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00AEA8C6
CreateWindowExW.USER32 ref: 00AEA8F9
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AEA90D
GetClientRect.USER32 ref: 00AEA92B
GetStockObject.GDI32(00000011), ref: 00AEA947
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEA952

Part of subcall function 00AEB736: GetCursorPos.USER32(000000FF), ref: 00AEB749
Part of subcall function 00AEB736: ScreenToClient.USER32 ref: 00AEB766
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(00000001), ref: 00AEB78B
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(00000002), ref: 00AEB799

SetTimer.USER32(00000000,00000000,00000028,00AEACEE), ref: 00AEA979

Strings

AutoIt v3 GUI, xrefs: 00AEA8F1

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: beacf7da495ae3e5d6fbdb78c5754874a1e0f3ee48dbb02d56f20e297da076aa
Instruction ID: ccf1888fdca4207f3e52823361250b88aeff19362733d5bcee82ce73c85b0ca3
Opcode Fuzzy Hash: beacf7da495ae3e5d6fbdb78c5754874a1e0f3ee48dbb02d56f20e297da076aa
Instruction Fuzzy Hash: 44B17A31A0020AAFDF14DFA9DD85BAE7BB4FB18315F104269FA15E72A0DB70E841DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00B0E6E1
_wcscmp.LIBCMT ref: 00B0E6F2
GetWindowTextW.USER32 ref: 00B0E71A
CharUpperBuffW.USER32(?,00000000), ref: 00B0E737
_wcscmp.LIBCMT ref: 00B0E755
_wcsstr.LIBCMT ref: 00B0E766
GetClassNameW.USER32 ref: 00B0E79E
_wcscmp.LIBCMT ref: 00B0E7AE
GetWindowTextW.USER32 ref: 00B0E7D5
GetClassNameW.USER32 ref: 00B0E81E
_wcscmp.LIBCMT ref: 00B0E82E
GetClassNameW.USER32 ref: 00B0E856
GetWindowRect.USER32 ref: 00B0E8BF

Strings

ThumbnailClass, xrefs: 00B0E7A9, 00B0E829
@, xrefs: 00B0E6BC

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 808e4c89f10cb35f83f9e27b073b41a1997019e206864868a87b893b69843250
Instruction ID: 9528aeadaa7f8235b69c036f5b74c1539bdc95d16c5ba1f1b2edbfd9b6d23d11
Opcode Fuzzy Hash: 808e4c89f10cb35f83f9e27b073b41a1997019e206864868a87b893b69843250
Instruction Fuzzy Hash: E481A0310083099BDB15DF10C981FAA7BE8FF44754F0489AAFDA99A0D2DB30DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3F122 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

DragQueryPoint.SHELL32(?,?), ref: 00B3F14B

Part of subcall function 00B3D5EE: ClientToScreen.USER32(?,?), ref: 00B3D617
Part of subcall function 00B3D5EE: GetWindowRect.USER32 ref: 00B3D68D
Part of subcall function 00B3D5EE: PtInRect.USER32(?,?,00B3EB2C), ref: 00B3D69D

SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B3F1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B3F1E2
_wcscat.LIBCMT ref: 00B3F212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B3F229
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F242
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F259
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F27B
DragFinish.SHELL32(?), ref: 00B3F282
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B3F36D

Strings

@GUI_DRAGID, xrefs: 00B3F2E1
, xrefs: 00B3F181, 00B3F1EE
@GUI_DROPID, xrefs: 00B3F2A2
@GUI_DRAGFILE, xrefs: 00B3F31C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$
API String ID: 169749273-1963020119
Opcode ID: 959063a74e4fb0971c24557cabb069d053a6bc9afeae40b49854e4d247a51a0d
Instruction ID: dd74ef717aefc9bbfe7b74c7d40a629bb1b9090da407c28ae0f6c96b9aa1714a
Opcode Fuzzy Hash: 959063a74e4fb0971c24557cabb069d053a6bc9afeae40b49854e4d247a51a0d
Instruction Fuzzy Hash: 53615972508301AFC710EF64DD85EABBBE8FF89750F100A5EF595932A1DB709A05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B0E549

Strings

CLASSNAME=, xrefs: 00B0E586
[REGEXPTITLE:, xrefs: 00B0E571
REGEXP=, xrefs: 00B0E55E
HANDLE=, xrefs: 00B0E542
[ACTIVE, xrefs: 00B0E536
[HANDLE:, xrefs: 00B0E555
[CLASS:, xrefs: 00B0E599
[ALL, xrefs: 00B0E5EF
ALL, xrefs: 00B0E5DD
ACTIVE, xrefs: 00B0E524
[LAST, xrefs: 00B0E5F6
LAST, xrefs: 00B0E50E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2adae736e80b5fe61cc4edd31dbab4d519b02e63fd7a68ee46f546c4cf7685a9
Instruction ID: 4ead09253e3cbedfeada0746a86be3e90453ee9aea0580d63fe7ab926922321d
Opcode Fuzzy Hash: 2adae736e80b5fe61cc4edd31dbab4d519b02e63fd7a68ee46f546c4cf7685a9
Instruction Fuzzy Hash: 35317C31944209E6DA18FBA0DE53EBE77E4AF20B54F2008A6F562711F6FF51AF04CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00B0F898 Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B0F8AB
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B0F8BD
SetWindowTextW.USER32(?,?), ref: 00B0F8D4
GetDlgItem.USER32 ref: 00B0F8E9
SetWindowTextW.USER32(00000000,?), ref: 00B0F8EF
GetDlgItem.USER32 ref: 00B0F8FF
SetWindowTextW.USER32(00000000,?), ref: 00B0F905
SendDlgItemMessageW.USER32 ref: 00B0F926
SendDlgItemMessageW.USER32 ref: 00B0F940
GetWindowRect.USER32 ref: 00B0F949
SetWindowTextW.USER32(?,?), ref: 00B0F9B4
GetDesktopWindow.USER32 ref: 00B0F9BA
GetWindowRect.USER32 ref: 00B0F9C1
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B0FA0D
GetClientRect.USER32 ref: 00B0FA1A
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B0FA3F
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B0FA6A

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b5b2ffc4fbade7c5cea4a1177820c4a5a611cebe06661198787f3e374b158ba6
Instruction ID: 5d0c27b972555dd3ab04fc9fe984b314dc26b83db7b250f6e873d5f0f4ed66b2
Opcode Fuzzy Hash: b5b2ffc4fbade7c5cea4a1177820c4a5a611cebe06661198787f3e374b158ba6
Instruction Fuzzy Hash: FD512D71A0070AAFDB309FA8CD85B6EBBF5FF04705F004968E596A29A0DB74A945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B428 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 350timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B1B46D
VariantCopy.OLEAUT32(?,?), ref: 00B1B476
VariantClear.OLEAUT32(?), ref: 00B1B482
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B1B561
__swprintf.LIBCMT ref: 00B1B591
VarR8FromDec.OLEAUT32(?,?), ref: 00B1B5BD
VariantInit.OLEAUT32(?), ref: 00B1B63F
SysFreeString.OLEAUT32(00000016), ref: 00B1B6D1
VariantClear.OLEAUT32(?), ref: 00B1B727
VariantClear.OLEAUT32(?), ref: 00B1B736
VariantInit.OLEAUT32(00000000), ref: 00B1B772

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B1B58B
Default, xrefs: 00B1B615

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 1827cc67c64013a462e083fdb3e7f3e1f99984a0dba7140795bbe0cf3508dd0a
Instruction ID: 2f48127073f2a72ca311e159de18caf040f78963c9b40c08c3d2d6047126e557
Opcode Fuzzy Hash: 1827cc67c64013a462e083fdb3e7f3e1f99984a0dba7140795bbe0cf3508dd0a
Instruction Fuzzy Hash: B3C1EF31A00215EBCB209F65D8C4FA9B7F4FF09700FA485A5E4059B296DB74ECC0DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00B3E3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B3BCBF), ref: 00B3E417
LoadImageW.USER32 ref: 00B3E457
LoadImageW.USER32 ref: 00B3E49C
LoadImageW.USER32 ref: 00B3E4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00B3BCBF), ref: 00B3E4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B3E4EF
DestroyIcon.USER32(?,?,?,?,?,00B3BCBF), ref: 00B3E4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B3E51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B3E527

Part of subcall function 00AF1BC7: __wcsicmp_l.LIBCMT ref: 00AF1C50

Strings

.dll, xrefs: 00B3E374
.icl, xrefs: 00B3E331
.exe, xrefs: 00B3E351

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2fa1f8ce58d83ad59ef8e6bd517ed02bfd9d6184f2a5038eabfcff01006ca25a
Instruction ID: 612421d38580a232236e7b6537975b27c2d35cdc9ce1b6826c6fab5ea5a4ab9a
Opcode Fuzzy Hash: 2fa1f8ce58d83ad59ef8e6bd517ed02bfd9d6184f2a5038eabfcff01006ca25a
Instruction Fuzzy Hash: 0F61A071500219FAEB24DF64CD86FBE77A8EB08711F204296F925E71D1EBB4D981C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB86E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AD4954,00000000), ref: 00AD4A23

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AEB85B), ref: 00AEB926
KillTimer.USER32(00000000,?,00000000,?,?,?,?,00AEB85B,00000000,?,?,00AEAF1E,?,?), ref: 00AEB9BD
DestroyAcceleratorTable.USER32 ref: 00B4E775
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB85B,00000000,?,?,00AEAF1E,?,?), ref: 00B4E7A6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB85B,00000000,?,?,00AEAF1E,?,?), ref: 00B4E7BD
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AEB85B,00000000,?,?,00AEAF1E,?,?), ref: 00B4E7D9
DeleteObject.GDI32(00000000), ref: 00B4E7EB

Strings

, xrefs: 00AEB8A7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-2740779761
Opcode ID: 64ddff559677c332330c09d848d13af90fdc66ca8433f4ad6329a31e18db1cb3
Instruction ID: 4dde4e89c2e1242ef65b0e1ee8be73a488ebbbb5a471531170e90d7d32569b70
Opcode Fuzzy Hash: 64ddff559677c332330c09d848d13af90fdc66ca8433f4ad6329a31e18db1cb3
Instruction Fuzzy Hash: D2618F31120742CFDB329F2ADA8C726B7F5FB45312F144A5AE19687671CB70E891EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB039 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB155: GetWindowLongW.USER32(?,000000EB), ref: 00AEB166

GetSysColor.USER32(0000000F), ref: 00AEB067

Strings

, xrefs: 00AEB081

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-2740779761
Opcode ID: b97ed9ab790a9f968e2040936c54e6679321cf9ae305a831010a20334d923396
Instruction ID: 0276c4e1be143ec7e66ae0b26d79c3fb2372a92cc0c4b5bfb8958a13409045ad
Opcode Fuzzy Hash: b97ed9ab790a9f968e2040936c54e6679321cf9ae305a831010a20334d923396
Instruction Fuzzy Hash: 9941AF31110680AFDB215F29D888BBA3BA6EB06731F1843A1FD759B1E6DB309D41DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00B13110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B44085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00B13145
LoadStringW.USER32(00000000,?,00B44085,00000016), ref: 00B1314E

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00B44085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00B13170
LoadStringW.USER32(00000000,?,00B44085,00000016), ref: 00B13173
__swprintf.LIBCMT ref: 00B131B3
__swprintf.LIBCMT ref: 00B131C5
_wprintf.LIBCMT ref: 00B1326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B13283

Strings

Line %d (File "%s"):, xrefs: 00B131BF
^ ERROR, xrefs: 00B13216
Line %d:, xrefs: 00B131AD
Error: , xrefs: 00B1323C
%s (%d) : ==> %s: %s %s, xrefs: 00B13267

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2ace33e60148f780d506223c4b67df1fe30031acf8967cbb720d1eec6e65b4e4
Instruction ID: fb6ba2ec3ec6dde51fa986c3d4eebaf265ce3d7e105ab212b9d9dae1ee2d7403
Opcode Fuzzy Hash: 2ace33e60148f780d506223c4b67df1fe30031acf8967cbb720d1eec6e65b4e4
Instruction Fuzzy Hash: 6D414572900209BACB14FBE0DE97EEE77B99F14B41F5001A6F602B21A1EE755F44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D950 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00B1D96C
__swprintf.LIBCMT ref: 00B1D98E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1D9CB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B1D9F0
_memset.LIBCMT ref: 00B1DA0F
_wcsncpy.LIBCMT ref: 00B1DA4B
DeviceIoControl.KERNEL32 ref: 00B1DA80
CloseHandle.KERNEL32(00000000), ref: 00B1DA8B
RemoveDirectoryW.KERNEL32(?), ref: 00B1DA94
CloseHandle.KERNEL32(00000000), ref: 00B1DA9E

Strings

\??\%s, xrefs: 00B1D988
\, xrefs: 00B1D9A4
:, xrefs: 00B1D9AF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: aadaf09e5093edf49529bf1db0b8ca05115e354e4d24adfab756fc4741ebf652
Instruction ID: ca1d4c70c5b93ace44b9da97ebe9c12006be028116839f9ea7d9513dbeebc2a7
Opcode Fuzzy Hash: aadaf09e5093edf49529bf1db0b8ca05115e354e4d24adfab756fc4741ebf652
Instruction Fuzzy Hash: AD31A871510208AADB20DFA4DC49FDA77FCEF84700F5082E5F619D2060EB719A818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E541 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B3BD04,?,?), ref: 00B3E564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E586
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E593
GlobalLock.KERNEL32 ref: 00B3E59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5AB
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5BB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5CC
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B5D9BC,?), ref: 00B3E5E5
GlobalFree.KERNEL32 ref: 00B3E5F5
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E619
CopyImage.USER32 ref: 00B3E644
DeleteObject.GDI32(00000000), ref: 00B3E66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B3E682

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 5db081e99bbd5a8266906bc9395f7de31bca6807faa88dd773cc6f5bce366fbb
Instruction ID: 5dba06cc6b27296b7eee55bef726c6937885bcaffca4537d847e907093ddd752
Opcode Fuzzy Hash: 5db081e99bbd5a8266906bc9395f7de31bca6807faa88dd773cc6f5bce366fbb
Instruction Fuzzy Hash: 0C415B75600304BFDB219F65CC88EAABBB9EF89716F108199F915E72A0DB31DD41DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B593 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B8E7: GetUserObjectSecurity.USER32 ref: 00B0B903
Part of subcall function 00B0B8E7: GetLastError.KERNEL32(?,00B0B3CB,?,?,?), ref: 00B0B90D
Part of subcall function 00B0B8E7: GetProcessHeap.KERNEL32(00000008,?,?,00B0B3CB,?,?,?), ref: 00B0B91C
Part of subcall function 00B0B8E7: HeapAlloc.KERNEL32(00000000,?,00B0B3CB,?,?,?), ref: 00B0B923
Part of subcall function 00B0B8E7: GetUserObjectSecurity.USER32 ref: 00B0B93A

Part of subcall function 00B0B982: GetProcessHeap.KERNEL32(00000008,00B0B3E1,00000000,00000000,?,00B0B3E1,?), ref: 00B0B98E
Part of subcall function 00B0B982: HeapAlloc.KERNEL32(00000000,?,00B0B3E1,?), ref: 00B0B995
Part of subcall function 00B0B982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B0B3E1,?), ref: 00B0B9A6

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B0B5F7
_memset.LIBCMT ref: 00B0B60C
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B0B62B
GetLengthSid.ADVAPI32(?), ref: 00B0B63C
GetAce.ADVAPI32(?,00000000,?), ref: 00B0B679
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B0B695
GetLengthSid.ADVAPI32(?), ref: 00B0B6B2
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B0B6C1
HeapAlloc.KERNEL32(00000000), ref: 00B0B6C8
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B0B6E9
CopySid.ADVAPI32(00000000), ref: 00B0B6F0
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B0B721
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B0B747
SetUserObjectSecurity.USER32 ref: 00B0B75B

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1352c9e66199f36fb14e1809861ae7303cb24333559bb8298743a0916e2f75d2
Instruction ID: 9518baf7127767b0e82132a00aeddd8af57d39443df270e0802d50fb71b708cd
Opcode Fuzzy Hash: 1352c9e66199f36fb14e1809861ae7303cb24333559bb8298743a0916e2f75d2
Instruction Fuzzy Hash: 4B513975900209AFDF149FA4DC95EEEBBB9FF44344F0482A9F915A72A0DB319E05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D520 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00B1D567

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B1D589
__swprintf.LIBCMT ref: 00B1D5DC
_wprintf.LIBCMT ref: 00B1D68D
_wprintf.LIBCMT ref: 00B1D6AB

Strings

Line %d (File "%s"):, xrefs: 00B1D5D6
"%s" (%d) : ==> %s:, xrefs: 00B1D6A6
^ ERROR, xrefs: 00B1D631
Error: , xrefs: 00B1D657
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1D688

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-2391861430
Opcode ID: 7ff291b6b914c54fa1c9588430b9647a37df5b369c4f1662c1a47515d05d2fde
Instruction ID: c648a6d608eb6b0a489e0c2840e13cfa87e1911bf148ea284f18c48d347079c0
Opcode Fuzzy Hash: 7ff291b6b914c54fa1c9588430b9647a37df5b369c4f1662c1a47515d05d2fde
Instruction Fuzzy Hash: 1251A172900109AACF14FBA0CE52EEEB7B9EF14700F5045A6F106B21A1EE315F98DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D338 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00B1D37F

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B1D3A0
__swprintf.LIBCMT ref: 00B1D3F3
_wprintf.LIBCMT ref: 00B1D499
_wprintf.LIBCMT ref: 00B1D4B7

Strings

^ ERROR , xrefs: 00B1D432
Line %d (File "%s"):, xrefs: 00B1D3ED
"%s" (%d) : ==> %s:, xrefs: 00B1D4B2
Error: , xrefs: 00B1D463
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1D494

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: LoadString_wprintf$__swprintf_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2116804098-3420473620
Opcode ID: 03eec136bace9ff4302f03527c8adc45d56da2a9d48cb40ede1fd883bb40f155
Instruction ID: 79f29f55ba6c21a6aeff487494f51ea736233a599444757f34e4a61e83c055f4
Opcode Fuzzy Hash: 03eec136bace9ff4302f03527c8adc45d56da2a9d48cb40ede1fd883bb40f155
Instruction Fuzzy Hash: A451D672900109BACF15FBA0DE52EEEB7B9EF14700F5044A6F10672161EB716F94DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B183D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B1843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B18455
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B18466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B18478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B18489

Strings

close PlayMe, xrefs: 00B18450, 00B1847D
status PlayMe mode, xrefs: 00B1843A
play PlayMe wait, xrefs: 00B18473
alias PlayMe, xrefs: 00B18418
play PlayMe, xrefs: 00B18484
open , xrefs: 00B183EE

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 354c136427b91f3af23b073b7b96cfc25877a22bd16c4c5c73be984cc3e2d323
Instruction ID: 342258c0973706d3b4de712c553190894594fc072d9461453ec44c32d9aa8b2a
Opcode Fuzzy Hash: 354c136427b91f3af23b073b7b96cfc25877a22bd16c4c5c73be984cc3e2d323
Instruction Fuzzy Hash: 7211B665A5015979D720B7A1DC4ADFF7BFCFB91F00F40045A7412A21E1DEA04E44C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00B18097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B1809C

Part of subcall function 00AEE3A5: timeGetTime.WINMM(?,74928EC0,00B46163), ref: 00AEE3A9

Sleep.KERNEL32(0000000A), ref: 00B180C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00B180EC
FindWindowExW.USER32 ref: 00B1810E
SetActiveWindow.USER32 ref: 00B1812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B1813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B1815A
Sleep.KERNEL32(000000FA), ref: 00B18165
IsWindow.USER32 ref: 00B18171
EndDialog.USER32(00000000), ref: 00B18182

Strings

BUTTON, xrefs: 00B18100

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 50287aed978787794aa1cc505dcd64abaf3d5951e0009e5a1b570682b94206e8
Instruction ID: aadfe8ca1bd2637a5c5cbcdbcf6face1b60094c6205440d3809778e869f87e1e
Opcode Fuzzy Hash: 50287aed978787794aa1cc505dcd64abaf3d5951e0009e5a1b570682b94206e8
Instruction Fuzzy Hash: 3B21BE71200304BFE7325B21BD88B663FEAF719B8AB550296F51193371DF724E968621

Uniqueness

Uniqueness Score: -1.00%

Function 00B132B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B43C64,00000010,00000000,Bad directive syntax error,00B6DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00B132D1
LoadStringW.USER32(00000000,?,00B43C64,00000010), ref: 00B132D8

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

_wprintf.LIBCMT ref: 00B13309
__swprintf.LIBCMT ref: 00B1332B
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B13395

Strings

Line %d (File "%s"):, xrefs: 00B1333B
%s (%d) : ==> %s.: %s %s, xrefs: 00B13304
Line %d:, xrefs: 00B13325
., xrefs: 00B1337B
Error: , xrefs: 00B13363

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a26dadb5cf0ad95f6f4c226f219de521c4ef1e530a2c1c6274b32b53e6a18a77
Instruction ID: c8035cfb08384137d7b673124e92d820b83b84ae77224393f0bc26219231b00f
Opcode Fuzzy Hash: a26dadb5cf0ad95f6f4c226f219de521c4ef1e530a2c1c6274b32b53e6a18a77
Instruction Fuzzy Hash: 64217F3294021EFBCF11AFD0CC16EEE77B5BF14B01F004496F516A10B1EA719A54DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00B208D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2090D
_memset.LIBCMT ref: 00B20928
CoInitialize.OLE32(00000000), ref: 00B2093B
SHGetMalloc.SHELL32(?), ref: 00B20945
CoUninitialize.OLE32 ref: 00B2094F
_wcscpy.LIBCMT ref: 00B20993
SHGetDesktopFolder.SHELL32(?), ref: 00B209F5
_wcscpy.LIBCMT ref: 00B20A1B
_wcscpy.LIBCMT ref: 00B20A77
SHBrowseForFolderW.SHELL32 ref: 00B20AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B20AC5
CoUninitialize.OLE32 ref: 00B20B11

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: 28399a9a9f24d39be30e3c2afaaeb70eeac7cf229f79d4608225b5b9190562ba
Instruction ID: 64300a53c72731c9ae340df3049ada35291f0eddde6a1bbaa38d0b1900b1a6af
Opcode Fuzzy Hash: 28399a9a9f24d39be30e3c2afaaeb70eeac7cf229f79d4608225b5b9190562ba
Instruction Fuzzy Hash: FE710F75A10219AFDB10EFA4D984ADEB7F9EF49314F048496E509A7352DB34AE40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B1388D Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B13908
SetKeyboardState.USER32(?), ref: 00B13973
GetAsyncKeyState.USER32(000000A0), ref: 00B13993
GetKeyState.USER32(000000A0), ref: 00B139AA
GetAsyncKeyState.USER32(000000A1), ref: 00B139D9
GetKeyState.USER32(000000A1), ref: 00B139EA
GetAsyncKeyState.USER32(00000011), ref: 00B13A16
GetKeyState.USER32(00000011), ref: 00B13A24
GetAsyncKeyState.USER32(00000012), ref: 00B13A4D
GetKeyState.USER32(00000012), ref: 00B13A5B
GetAsyncKeyState.USER32(0000005B), ref: 00B13A84
GetKeyState.USER32(0000005B), ref: 00B13A92

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e76166c6bcb8bf40947b167ce7bca0b54a47ffaa171ea55e7df3c5c80e9178bf
Instruction ID: e32bed9bb686bcba281aea3b9614aadad57bbd8e4775bf6316c9cf8d2471a9de
Opcode Fuzzy Hash: e76166c6bcb8bf40947b167ce7bca0b54a47ffaa171ea55e7df3c5c80e9178bf
Instruction Fuzzy Hash: 0F518620A0478469FB35EBA488517EEAFF4DF11B80F8845D9D5C25A1C2FB549BCCC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B17334 Relevance: 18.1, APIs: 12, Instructions: 113COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00B1734C
_wcscpy.LIBCMT ref: 00B1735D
__wsplitpath.LIBCMT ref: 00B17384
__wsplitpath.LIBCMT ref: 00B173A8
_wcscpy.LIBCMT ref: 00B173CA
_wcscpy.LIBCMT ref: 00B173E8
_wcscpy.LIBCMT ref: 00B173F9
_wcscat.LIBCMT ref: 00B17408
_wcscat.LIBCMT ref: 00B1745D
_wcscat.LIBCMT ref: 00B17493
_wcscat.LIBCMT ref: 00B174A5

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
String ID:
API String ID: 136442275-0
Opcode ID: 06aade64d13e878a1e565deb9badfad4f44d544a34331792a6b5cd4942a3478b
Instruction ID: 3815cdae8ea18520c9437f9308a9549316d666401aa4047c0f88de06d60cc56c
Opcode Fuzzy Hash: 06aade64d13e878a1e565deb9badfad4f44d544a34331792a6b5cd4942a3478b
Instruction Fuzzy Hash: 5741F07290411CAADB21EB90CD95EEE73BCEB08310F5041E6F619A3151EE759BD4CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B14A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B3B204

Strings

, xrefs: 00B3B186

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-2740779761
Opcode ID: b9d741940b221ab1586cb02f7eb148517856e66eab30f00f82061549566486f8
Instruction ID: 480e461fb427e95dbaf5799458af6ece530198303e53f6e657fd2ffd12bb2b7c
Opcode Fuzzy Hash: b9d741940b221ab1586cb02f7eb148517856e66eab30f00f82061549566486f8
Instruction Fuzzy Hash: 3C51BE30510214BEEF30AF288C99F9E3BE4EB06310F304696FB15E71A5CB71E9409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00AD84A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00AD84E5
__itow.LIBCMT ref: 00AD8519

Part of subcall function 00AF2177: _xtow@16.LIBCMT ref: 00AF2198

Strings

0x%p, xrefs: 00B45582
True, xrefs: 00B45561
%.15g, xrefs: 00AD84DF
False, xrefs: 00B45568

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 2ce565df5b73aed3a52f2972bc0b71479f92a7678ce003477ae604bfc1f2e222
Instruction ID: 7f9359553b2a309c6e5c5ff9d49d66ca8fb6fe319fa5fbb00f0be31c4c000753
Opcode Fuzzy Hash: 2ce565df5b73aed3a52f2972bc0b71479f92a7678ce003477ae604bfc1f2e222
Instruction Fuzzy Hash: D2410372600A099BDB34DB78D981F7AB7F9FF44310F2044AEF54AC6292EA359A41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B178EE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B17909
gethostname.WSOCK32(?,00000100), ref: 00B17923
gethostbyname.WSOCK32(?), ref: 00B17930
_wcscpy.LIBCMT ref: 00B17958
_memmove.LIBCMT ref: 00B1796B
inet_ntoa.WSOCK32(?), ref: 00B17976
_wcscpy.LIBCMT ref: 00B1799B
WSACleanup.WSOCK32 ref: 00B179A9
_wcscpy.LIBCMT ref: 00B179B7

Strings

0.0.0.0, xrefs: 00B17952

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmovegethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 325522624-3771769585
Opcode ID: af4a31f914b65701b2593391530f7bd9ea6234af9bb9dd78d9382044a20580ac
Instruction ID: 0f8375cdf1f5c170c3abb8139fe520c4906930ac26fe8922b5690afd3559bf93
Opcode Fuzzy Hash: af4a31f914b65701b2593391530f7bd9ea6234af9bb9dd78d9382044a20580ac
Instruction Fuzzy Hash: 8C110271A08219BBDB30A7709D4AEEA37FCEB04760F5001E9F10597091EEB0DAC586A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B157FB Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B15816
GetMenuItemInfoW.USER32(00B918F0,000000FF,00000000,00000030), ref: 00B15877
SetMenuItemInfoW.USER32 ref: 00B158AD
Sleep.KERNEL32(000001F4), ref: 00B158BF
GetMenuItemCount.USER32 ref: 00B15903
GetMenuItemID.USER32(?,00000000), ref: 00B1591F
GetMenuItemID.USER32(?,-00000001), ref: 00B15949
GetMenuItemID.USER32(?,?), ref: 00B1598E
CheckMenuRadioItem.USER32 ref: 00B159D4
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B159E8
SetMenuItemInfoW.USER32 ref: 00B15A09

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: dec935fc801ba9519a30bd63f01bf0a65022676b07a08507ed607731359d8c9a
Instruction ID: 38b7f451d42cdc10c8354dd52e7dae72113e08df1eb40dd977a000a5164ce4b5
Opcode Fuzzy Hash: dec935fc801ba9519a30bd63f01bf0a65022676b07a08507ed607731359d8c9a
Instruction Fuzzy Hash: 5061AF70910649EFDF31CFA4D9C8AEE7BF8EB81358F54029AE442A3251D731AD81DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B13569 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B13591
GetAsyncKeyState.USER32(000000A0), ref: 00B13612
GetKeyState.USER32(000000A0), ref: 00B1362D
GetAsyncKeyState.USER32(000000A1), ref: 00B13647
GetKeyState.USER32(000000A1), ref: 00B1365C
GetAsyncKeyState.USER32(00000011), ref: 00B13674
GetKeyState.USER32(00000011), ref: 00B13686
GetAsyncKeyState.USER32(00000012), ref: 00B1369E
GetKeyState.USER32(00000012), ref: 00B136B0
GetAsyncKeyState.USER32(0000005B), ref: 00B136C8
GetKeyState.USER32(0000005B), ref: 00B136DA

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f37c5ac8c45d78ef4f120a091918b8dc268b1db70236ae5d724e4b336a5fbe04
Instruction ID: d1649b9d4a43fd09838e345093eca412ce7918ff807b6fea32589c7fa8b37e1f
Opcode Fuzzy Hash: f37c5ac8c45d78ef4f120a091918b8dc268b1db70236ae5d724e4b336a5fbe04
Instruction Fuzzy Hash: D74195605087C97DFF319B6498143E5BEE1EB21B44F8880D9D5C6472C2FBA59BC8CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A28D Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 00B0A2AA
SafeArrayAllocData.OLEAUT32(?), ref: 00B0A2F5
VariantInit.OLEAUT32(?), ref: 00B0A307
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B0A327
VariantCopy.OLEAUT32(?,?), ref: 00B0A36A
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B0A37E
VariantClear.OLEAUT32(?), ref: 00B0A393
SafeArrayDestroyData.OLEAUT32(?), ref: 00B0A3A0
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0A3A9
VariantClear.OLEAUT32(?), ref: 00B0A3BB
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0A3C6

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f21c1a8ba55279484df2291953c68dd35623d1e4f990f63a5347aa404a639e66
Instruction ID: 158483ab56f2931d39d87d170696159debba3e99751f50188b2a69d1ae0eafe2
Opcode Fuzzy Hash: f21c1a8ba55279484df2291953c68dd35623d1e4f990f63a5347aa404a639e66
Instruction Fuzzy Hash: E2414F31900319AFCB11DFA4DC84ADEBFB9FF48345F0085A5F512A7251DB70AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B0C782
GetDlgCtrlID.USER32 ref: 00B0C78D
GetParent.USER32 ref: 00B0C7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0C7AC
GetDlgCtrlID.USER32 ref: 00B0C7B5
GetParent.USER32(?), ref: 00B0C7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0C7D4

Strings

ComboBox, xrefs: 00B0C707
ListBox, xrefs: 00B0C73F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 2849aaf0d16908992687a39bec0173e665db6a5f09028b28b53b87eb5c0c782d
Instruction ID: bcca98f6c2ccace88dcefbfc63854a08b326b17568c576af68b7f230e2f9d359
Opcode Fuzzy Hash: 2849aaf0d16908992687a39bec0173e665db6a5f09028b28b53b87eb5c0c782d
Instruction Fuzzy Hash: 68219274A00208ABDB05AB64CC95EBE7BB5EF46311F104296F562D72E1DB745816DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B0C869
GetDlgCtrlID.USER32 ref: 00B0C874
GetParent.USER32 ref: 00B0C890
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0C893
GetDlgCtrlID.USER32 ref: 00B0C89C
GetParent.USER32(?), ref: 00B0C8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0C8BB

Strings

ComboBox, xrefs: 00B0C7F0
ListBox, xrefs: 00B0C828

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 88831a10de027699b53ae5ba02320972d4cd3b92cecabb590fea35eae6396770
Instruction ID: 104afcca618cb4cbcc0d5d9456122f627c64989a094efd59e1b0442e947bb9d6
Opcode Fuzzy Hash: 88831a10de027699b53ae5ba02320972d4cd3b92cecabb590fea35eae6396770
Instruction Fuzzy Hash: AB21A175A00208ABDF05AB64CC95EFEBFA9EF45301F104296F512E32E1DB749816DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B0C8D9
GetClassNameW.USER32 ref: 00B0C8EE
_wcscmp.LIBCMT ref: 00B0C900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B0C97B

Strings

list, xrefs: 00B0C95D
details, xrefs: 00B0C929
SHELLDLL_DefView, xrefs: 00B0C8FA
smallicons, xrefs: 00B0C943
largeicons, xrefs: 00B0C90F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 165f7e4a06906f1434e119a458e00d543f4918dfa87d59b7d2b99291ff4f1d2e
Instruction ID: d6ba0f5db6d79eeea73d22be4e42f2aec9fa5eeaa2ed93477870d917c28a43cc
Opcode Fuzzy Hash: 165f7e4a06906f1434e119a458e00d543f4918dfa87d59b7d2b99291ff4f1d2e
Instruction Fuzzy Hash: 27118676648306F9FA163B30DD4ADA67FDCDB07764B200296FA00A60E2FF61A9538654

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 00B1B137

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 71d3ffc650d72cdf9a756289ea634c759645e32ac1f85018eba9847202ba4349
Instruction ID: e13400244fda879c1b47ff34f7d63454cfc9dd9bca30bc08a12968bc5c8ffaed
Opcode Fuzzy Hash: 71d3ffc650d72cdf9a756289ea634c759645e32ac1f85018eba9847202ba4349
Instruction Fuzzy Hash: 11C18C75A0121ADFDB00CF98D485BEEB7F4FF08315F6040AAE615E7291C734AA91CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B17212 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00B17226
__swprintf.LIBCMT ref: 00B17233

Part of subcall function 00AF234B: __woutput_l.LIBCMT ref: 00AF23A4

FindResourceW.KERNEL32(?,?,0000000E), ref: 00B1725D
LoadResource.KERNEL32(?,00000000), ref: 00B17269
LockResource.KERNEL32(00000000), ref: 00B17276
FindResourceW.KERNEL32(?,?,00000003), ref: 00B17296
LoadResource.KERNEL32(?,00000000), ref: 00B172A8
SizeofResource.KERNEL32(?,00000000), ref: 00B172B7
LockResource.KERNEL32(?), ref: 00B172C3
CreateIconFromResourceEx.USER32 ref: 00B17322

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 472525a940ec2d6052ba5331f1f8d530eecd9e9504b02292e80ec1066788431f
Instruction ID: 5db42adf64e791f46ca402a8c3f1b92a1ee49a68208e1060defbd76a0129430e
Opcode Fuzzy Hash: 472525a940ec2d6052ba5331f1f8d530eecd9e9504b02292e80ec1066788431f
Instruction Fuzzy Hash: 3331CEB194421AABCB119FA0ED85AFB7BF8FF09301F504595F912D3150EB34D992DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D978 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 00B0DC86

Strings

REGEXPCLASS, xrefs: 00B0DA4C
CLASS, xrefs: 00B0DA06
TEXT, xrefs: 00B0DBBD
INSTANCE, xrefs: 00B0DB94
NAME, xrefs: 00B0DAB8
CLASSNN, xrefs: 00B0DA29

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 4033b1daab7c0d8de2f4b6e059c552b692144fbadfa013090d3ae5cb89846c10
Instruction ID: df2eaa17f7d3c9e5bc15756a30bc3582ac6fa5fd307ac8ece0f373fa6a09e613
Opcode Fuzzy Hash: 4033b1daab7c0d8de2f4b6e059c552b692144fbadfa013090d3ae5cb89846c10
Instruction Fuzzy Hash: C291B630A006469ADB18DFA4C5C1BE9FFF5FF04350F54819AE85AA72D1DF30A959CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00B4E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4EA0B
LoadImageW.USER32 ref: 00B4EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B4EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B4EA64
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4EA8C
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4EA97

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ffd4eb456a00be98b4280fa1694fd2879536fde9b0a7dc2b466f7ebc74aed03c
Instruction ID: 75f93841c00b3cd88462f7d921a58c8eb146c69bdde4249dac88a3549e05e72a
Opcode Fuzzy Hash: ffd4eb456a00be98b4280fa1694fd2879536fde9b0a7dc2b466f7ebc74aed03c
Instruction Fuzzy Hash: A4516870600309AFDB20CF69CC81FAA7BF5FB59750F104659F956972A0DBB0ED80AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AEF6B5 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B4E9A0,00000004,00000000,00000000), ref: 00AEF737
ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,00B4E9A0,00000004,00000000,00000000), ref: 00AEF77E
ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,00B4E9A0,00000004,00000000,00000000), ref: 00B4EB55
ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,00B4E9A0,00000004,00000000,00000000), ref: 00B4EBC1

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c10cf71ced00f6620fdedc9793857974a25c4dd6a0c9d6a10fee4317bcb9e09a
Instruction ID: 0a7524b7f37ca891582f8acd8a2b716706e1145356ce02f1cb367afcf87c8b8f
Opcode Fuzzy Hash: c10cf71ced00f6620fdedc9793857974a25c4dd6a0c9d6a10fee4317bcb9e09a
Instruction Fuzzy Hash: CA41FA316186C19FDB355B3A8DC8B7A7AE6FF45302F6409ADF097835A1CA70E841E721

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B2C916
NULL Pointer assignment, xrefs: 00B2CCEE, 00B2CCFF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ad101a2c490d10f5ffe08b46f9f42a8678398fb5fae02394d8f17f4594c92900
Instruction ID: 5f466c15ad08a300ca92561c1c9ac0f815804911ea394ed4cc8d48d778013ce9
Opcode Fuzzy Hash: ad101a2c490d10f5ffe08b46f9f42a8678398fb5fae02394d8f17f4594c92900
Instruction Fuzzy Hash: 50E1C271A00229AFCF10DF68E985BAE7BF9EF48354F1440A9E949A7281D7709D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B16237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B162D6

Strings

stop, xrefs: 00B162A7
info, xrefs: 00B16277
question, xrefs: 00B1628F
blank, xrefs: 00B16258
warning, xrefs: 00B162BF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 93a1d7a3409778bbc8ab0bef329cd5f81ff38d259b725a86fc0b5552ad22a3a7
Instruction ID: b63393f7431c01affb3c5df9410def423f95e03b15447d51dd30657e48dedb97
Opcode Fuzzy Hash: 93a1d7a3409778bbc8ab0bef329cd5f81ff38d259b725a86fc0b5552ad22a3a7
Instruction Fuzzy Hash: FB11203120C346FAD7055B58DC82DFA73DCDF16B24B6000E9F641A62D2F7B0AE8182E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1757B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 00B17595
LoadStringW.USER32(00000000), ref: 00B1759C
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B175B2
LoadStringW.USER32(00000000), ref: 00B175B9
_wprintf.LIBCMT ref: 00B175DF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B175FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B175DA

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: bae6aed2b17df0cdbb160bc21fda791d3a0e61929f3d725e905abc4f28cff774
Instruction ID: d38ea9b7effa46b201c8f53c4957e0d4176a62728aaf9431c2ec44dba86247e3
Opcode Fuzzy Hash: bae6aed2b17df0cdbb160bc21fda791d3a0e61929f3d725e905abc4f28cff774
Instruction Fuzzy Hash: 0901FFF2940308BFE711A794AD89FE6766CEB08301F4005D5B745E3051EE749E858B75

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB72C Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 00AFB744

Part of subcall function 00AF8A0C: __FF_MSGBANNER.LIBCMT ref: 00AF8A21
Part of subcall function 00AF8A0C: __NMSG_WRITE.LIBCMT ref: 00AF8A28
Part of subcall function 00AF8A0C: __malloc_crt.LIBCMT ref: 00AF8A48

__lock.LIBCMT ref: 00AFB757
__lock.LIBCMT ref: 00AFB7A3
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00B86948,00000018,00B06C2B,?,00000000,00000109), ref: 00AFB7BF
EnterCriticalSection.KERNEL32(8000000C,00B86948,00000018,00B06C2B,?,00000000,00000109), ref: 00AFB7DC
LeaveCriticalSection.KERNEL32(8000000C), ref: 00AFB7EC

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: f977defbbf44c0b3db58e488b5a15adbc9851b164625239b78136f563627bba6
Instruction ID: bea621872c02484c607db02889a9540f3a4bbd2d120bdc5e56f264bc65c5e8f9
Opcode Fuzzy Hash: f977defbbf44c0b3db58e488b5a15adbc9851b164625239b78136f563627bba6
Instruction Fuzzy Hash: D7412771D212198BEB10AFE8D94437CB7B4BF40375F248219F625AB2D1CB749800CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B1A1CE

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B1A205
EnterCriticalSection.KERNEL32(?), ref: 00B1A221
_memmove.LIBCMT ref: 00B1A26F
_memmove.LIBCMT ref: 00B1A28C
LeaveCriticalSection.KERNEL32(?), ref: 00B1A29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B1A2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B1A2CF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrow_mallocstd::exception::exception
String ID:
API String ID: 3094542793-0
Opcode ID: 9b3fa0c58384541d80d967082b95e8bc33350a615ce281af8fc299834cf355a9
Instruction ID: 6b30616d2fd5035df698b81b0ead1629d974858828649471b7ac3d81fc63b0c2
Opcode Fuzzy Hash: 9b3fa0c58384541d80d967082b95e8bc33350a615ce281af8fc299834cf355a9
Instruction Fuzzy Hash: 6C319031900205EBCB10EFA5DD85EAEBBB8EF44310F5481A5F904EB256DB70DE54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB40F Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2039305ebeb9865aff202f46016502347fe0c70f1d75c87c0cff0a85bc67bdc7
Instruction ID: c880ac353e1eb9135e3600358a284d76c638845bfe04d56275d845d17ab364ae
Opcode Fuzzy Hash: 2039305ebeb9865aff202f46016502347fe0c70f1d75c87c0cff0a85bc67bdc7
Instruction Fuzzy Hash: EE71487191054AEFCB158F99C888ABFBB74FF85314F148159F916AB291C730AA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B147DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B1481D
GetKeyboardState.USER32(?), ref: 00B14832
SetKeyboardState.USER32(?), ref: 00B14893
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B148C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B148E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B14926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B14949

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 382294498285e727d9194da13e68727d87706620103adb70e0b9b7ab82368e3c
Instruction ID: e2ecdd9721996a016b2c07ad83c67c74974b7a3db66bb40e7602785524fc7f0b
Opcode Fuzzy Hash: 382294498285e727d9194da13e68727d87706620103adb70e0b9b7ab82368e3c
Instruction Fuzzy Hash: C251CEA0A087D53DFB3647248C45BFBBEE9AB06344F4889C9E1D55A8C2C7D8E9C8D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B145F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B14638
GetKeyboardState.USER32(?), ref: 00B1464D
SetKeyboardState.USER32(?), ref: 00B146AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B146DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B146F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B1473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B1475C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 67a3a568017a9d9a607be22f48d8d3e3cb5877b8ebba7360dbd667d3f08434b9
Instruction ID: aa7c96b99dbb09840496e030768499859065a0d5e0166d30ce68ea4bcda9af5a
Opcode Fuzzy Hash: 67a3a568017a9d9a607be22f48d8d3e3cb5877b8ebba7360dbd667d3f08434b9
Instruction Fuzzy Hash: 7551C1A06087D639FB3687248C45BFABEE9EB07304F4845C9E1D94A8C2D794EDD8E750

Uniqueness

Uniqueness Score: -1.00%

Function 00B186AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B186BB
_wcsncpy.LIBCMT ref: 00B186F0
_wcsncpy.LIBCMT ref: 00B18722
_wcsncpy.LIBCMT ref: 00B18755
_wcsncpy.LIBCMT ref: 00B18797
_wcsncpy.LIBCMT ref: 00B187D1
_wcsncpy.LIBCMT ref: 00B18800

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 46f23b8bf12368e84efe22e3740c7f44dbbdbb8a9a0c5feb9a8c1322a5b49962
Instruction ID: b60d62e4726a8c165f65831c9915e7b91d762979b43df770cdd69e10c0fb4865
Opcode Fuzzy Hash: 46f23b8bf12368e84efe22e3740c7f44dbbdbb8a9a0c5feb9a8c1322a5b49962
Instruction Fuzzy Hash: 76413E65C10218B5CB11EBF4C986ADFB7ACEF05350FA08866F618F3162EA30E655C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00B116F1 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B11734
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B1175A
SysAllocString.OLEAUT32(00000000), ref: 00B1175D
SysAllocString.OLEAUT32(?), ref: 00B1177B
SysFreeString.OLEAUT32(?), ref: 00B11784
StringFromGUID2.OLE32(?,?,00000028), ref: 00B117A9
SysAllocString.OLEAUT32(?), ref: 00B117B7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7a2d4ef112098c9d49578b2d75f5770414fb5f4357f223517b11d86356a642f3
Instruction ID: bfc682688468f0193432e34f23764f1d1ba7ec0b196721620c3eaf0ce61ca753
Opcode Fuzzy Hash: 7a2d4ef112098c9d49578b2d75f5770414fb5f4357f223517b11d86356a642f3
Instruction Fuzzy Hash: F22165B5600219AF9B109FACCC88DFB77EDEB09360B408665FA15DB391DB70EC818765

Uniqueness

Uniqueness Score: -1.00%

Function 00B169F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00AD31DA

lstrcmpiW.KERNEL32(?,?), ref: 00B16A2B
_wcscmp.LIBCMT ref: 00B16A49
MoveFileW.KERNEL32(?,?), ref: 00B16A62

Part of subcall function 00B16D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00B16DBA
Part of subcall function 00B16D6D: GetLastError.KERNEL32 ref: 00B16DC5
Part of subcall function 00B16D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B16DD9

_wcscat.LIBCMT ref: 00B16AA4
SHFileOperationW.SHELL32(?), ref: 00B16B0C

Strings

\*.*, xrefs: 00B16A9E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: 3e4d145fe918ffca4a5aec8a1a250c84b50479c2890d770f72e8f3676715ee61
Instruction ID: ebb3287bb6ff6d51649803a7e4295975c46453074ba2ae6dfeca04991a251039
Opcode Fuzzy Hash: 3e4d145fe918ffca4a5aec8a1a250c84b50479c2890d770f72e8f3676715ee61
Instruction Fuzzy Hash: 083112B1900218AACF61EFA4D945BDDB7F8AF08300F5055EAF509E3151EB309B89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B117C8 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B1180D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B11833
SysAllocString.OLEAUT32(00000000), ref: 00B11836
SysAllocString.OLEAUT32 ref: 00B11857
SysFreeString.OLEAUT32 ref: 00B11860
StringFromGUID2.OLE32(?,?,00000028), ref: 00B1187A
SysAllocString.OLEAUT32(?), ref: 00B11888

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 22e498d958abb9778bce386b1bf368d0853ac3063c3692f63524c16c5a52f3eb
Instruction ID: 7dde36f2ffa5bcf42d3dca33f04321c63b31fa1cb305e4a2af0689de5858b78b
Opcode Fuzzy Hash: 22e498d958abb9778bce386b1bf368d0853ac3063c3692f63524c16c5a52f3eb
Instruction Fuzzy Hash: AD214475600204AF9B109FACDC89DBA77ECEB09360B808665FA15DB2A5DA74EC818764

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00AEC6C0
GetWindowRect.USER32 ref: 00AEC701
ScreenToClient.USER32 ref: 00AEC729
GetClientRect.USER32 ref: 00AEC856
GetWindowRect.USER32 ref: 00AEC86F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 82ce6b2e5410402e88a51ec4655a6eac3a501b29f223085cdb1453cdaa38feaf
Instruction ID: 57dec8343b2b026814fa3350ce422c11a5ce6a2a977e45515f87098578e096b0
Opcode Fuzzy Hash: 82ce6b2e5410402e88a51ec4655a6eac3a501b29f223085cdb1453cdaa38feaf
Instruction Fuzzy Hash: 93B14A79900289DBDF10CFA9C5807EEB7B1FF08310F14916AEC69EB255DB30AA41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B19569 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B196BC
_memmove.LIBCMT ref: 00B195F7

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

_memmove.LIBCMT ref: 00B1966A
_memmove.LIBCMT ref: 00B19751
_memmove.LIBCMT ref: 00B1976A
_memmove.LIBCMT ref: 00B19786

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: 3210dc01f0b5a868a24d810051a48e619904538d74c4c0bfcfb78a65ca5f55c3
Instruction ID: 088f9872274470570fad0288f01a5216d8fe62fe8fc376b2730b1395e48ca6cb
Opcode Fuzzy Hash: 3210dc01f0b5a868a24d810051a48e619904538d74c4c0bfcfb78a65ca5f55c3
Instruction Fuzzy Hash: 4961AE3050028A9FDB05EF60CE91EFE37A9EF45318F84459AF85A6B292EB34DD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B154E0 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B1552E
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B15579
IsMenu.USER32 ref: 00B15599
CreatePopupMenu.USER32(00B918F0,00000040,749133D0), ref: 00B155CD
GetMenuItemCount.USER32 ref: 00B1562B
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B1565C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 851ca66d86fd3079005b39497b137f10af234b90675480d89a1ffdb2b9a050c0
Instruction ID: 54e18d6b536ffda38cd1faa5cf254f1b8d4d6131bc5bc6833644f6ec870aa628
Opcode Fuzzy Hash: 851ca66d86fd3079005b39497b137f10af234b90675480d89a1ffdb2b9a050c0
Instruction Fuzzy Hash: AD51B070600A49EFDF30CF68C888BEDBBF9EF95358F904299E4159B294D7709984CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AEB1C1
GetWindowRect.USER32 ref: 00AEB225
ScreenToClient.USER32 ref: 00AEB242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AEB253
EndPaint.USER32(?,?), ref: 00AEB29D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 78b6d36886a44df578a2e600e569d1d7605a8b39397422e081e658758234d9f0
Instruction ID: e4b72fe1a8052e1c33485919195142b6394290c6b69ed56b7658145c93bf92b7
Opcode Fuzzy Hash: 78b6d36886a44df578a2e600e569d1d7605a8b39397422e081e658758234d9f0
Instruction Fuzzy Hash: FB418D711043419FC721DF29D8C8BBB7BE8EF55320F1406A9FAA5872A1CB319945AB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B91810,00000000,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E21B
EnableWindow.USER32(?,00000000), ref: 00B3E23F
ShowWindow.USER32(00B91810,00000000,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E29F
ShowWindow.USER32(?,00000004,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E2B1
EnableWindow.USER32(?,00000001), ref: 00B3E2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B3E2F8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d19044ed2171853367aebb9b9206efd9ce41c00b711ae03dddd8aae544662173
Instruction ID: c33a74dad3e15c2f978b4275983c9644991c537c7611a385643fb34ea80e8714
Opcode Fuzzy Hash: d19044ed2171853367aebb9b9206efd9ce41c00b711ae03dddd8aae544662173
Instruction Fuzzy Hash: 56413F34640541EFDB25CF14C899B967BE5FB06314F2841E6FA688F1A2C731E845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEB5EB
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB5FA
Part of subcall function 00AEB58B: BeginPath.GDI32(?), ref: 00AEB611
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B3E9F2
LineTo.GDI32(00000000,00000003,?), ref: 00B3EA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3EA14
LineTo.GDI32(00000000,00000000,?), ref: 00B3EA24
EndPath.GDI32(00000000), ref: 00B3EA34
StrokePath.GDI32(00000000), ref: 00B3EA44

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5c4469c9cc5982284f6274824d1225f365001e188382d0921b77035559d79cac
Instruction ID: b8c9089360b7178f824dc5cafa6c7ef787da7ebbb196a4139c23b0538f00d03f
Opcode Fuzzy Hash: 5c4469c9cc5982284f6274824d1225f365001e188382d0921b77035559d79cac
Instruction Fuzzy Hash: C3110976000249BFEF129F94DC88F9A7FADEB08351F048162FA199A1A0DB719D55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD1867 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AD1898
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AD18A0
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AD18AB
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AD18B6
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AD18BE
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AD18C6

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 35ccd480641e26548e3d25c208873e32d25868b23ef36309dcb047141b00a01e
Instruction ID: 7b4c5b4d6d91317bc924c580e505081b4e7dd328cc5168e9a34526d1fdc146ed
Opcode Fuzzy Hash: 35ccd480641e26548e3d25c208873e32d25868b23ef36309dcb047141b00a01e
Instruction Fuzzy Hash: F00167B0902B5ABDE3008F6A8C85B56FFB8FF19354F04415BA15C47A42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 5a56b016e5457e585662fd77051147f3b31dd17fd6d1c6f14be3896c655783be
Instruction ID: 049f98e974979643cdc39a3dcf2b253ead8dc07fab688ae48d7715b9301160e6
Opcode Fuzzy Hash: 5a56b016e5457e585662fd77051147f3b31dd17fd6d1c6f14be3896c655783be
Instruction Fuzzy Hash: FD016D32102711ABD7252B54ED48FEB7BA9EF89702B8006A9F503974A1CF61B841CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00B184F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B18504
SendMessageTimeoutW.USER32 ref: 00B1851A
GetWindowThreadProcessId.USER32(?,?), ref: 00B18529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18549

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 05579cbb520211366aea7a276a1f66fef2391a718535c7b8a4d8ffec3a0e8fcf
Instruction ID: 607e13af139952c1a52542ad8edba7b606d6eebe1048b82459a77d0e6fb38289
Opcode Fuzzy Hash: 05579cbb520211366aea7a276a1f66fef2391a718535c7b8a4d8ffec3a0e8fcf
Instruction Fuzzy Hash: C7F03072240659BBE7315B529D0EFEF7A7CDFC6B16F000298F605E2050EFA06A42C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B1A330
EnterCriticalSection.KERNEL32(?,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A341
TerminateThread.KERNEL32(?,000001F6,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A35B

Part of subcall function 00B19CCE: CloseHandle.KERNEL32(?,?,00B1A368,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B19CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B1A36E
LeaveCriticalSection.KERNEL32(?,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A375

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 65073635c4518c6a3bcd36753c4de77a6168a6b338505c7747385af512991f12
Instruction ID: 024ac730e6a65ce312d4b1119be467a5b6c2abc8df872e020f9f3d98ee6b66b1
Opcode Fuzzy Hash: 65073635c4518c6a3bcd36753c4de77a6168a6b338505c7747385af512991f12
Instruction Fuzzy Hash: 5AF05E32141311ABD3212BA4ED48FDB7BB9EF89303F4006A1F203A64A1CFB6A841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AED7C7 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00ADBBD9: _memmove.LIBCMT ref: 00ADBC33

__swprintf.LIBCMT ref: 00AED98F

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AED832

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintf_mallocstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 865004172-557222456
Opcode ID: 0fcbc4ae77a44f7389219ec657ed4c3da385419dfaf7763624430d75b2a83e52
Instruction ID: 61fcc6b585147456ca1c3332432dd5d0c4a8a0276e8934e1e8dc1696228b6db3
Opcode Fuzzy Hash: 0fcbc4ae77a44f7389219ec657ed4c3da385419dfaf7763624430d75b2a83e52
Instruction Fuzzy Hash: 2E917932518241AFC714EF25CA85D6EB7F4EF99700F00495EF4969B2A2EB70EE04DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C2E7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00B3C354
ScreenToClient.USER32 ref: 00B3C384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00B3C3EA

Strings

, xrefs: 00B3C31E, 00B3C412

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-2740779761
Opcode ID: 8c8d4074097763425d1974d776c8c50d976be1d576fa621ed6c49f4c6a181994
Instruction ID: a7ee8dcc27b13ea016e72a19860d196044cbc3b4d77a0a207a9f9dd594e2ec18
Opcode Fuzzy Hash: 8c8d4074097763425d1974d776c8c50d976be1d576fa621ed6c49f4c6a181994
Instruction Fuzzy Hash: 2C513D71900205EFCF20DFA8C990AAE7BF6FB45360F248599F925AB291D770AD41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B354 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B3B3E1

Strings

, xrefs: 00B3B390

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-2740779761
Opcode ID: 9f889a8bf23ac0600ea552aff5305d05c43a3495562820994ce873f13bbf8d04
Instruction ID: 2ba86a9a1c3650c728daf637a5362b9c1af6fca70b3e95f314f08f4ce57f7d73
Opcode Fuzzy Hash: 9f889a8bf23ac0600ea552aff5305d05c43a3495562820994ce873f13bbf8d04
Instruction Fuzzy Hash: D131CF34600214FBEF209E18CC85FA877E5EB05350F308596FB51D72AAC730E9419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D5EE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B3D617
GetWindowRect.USER32 ref: 00B3D68D
PtInRect.USER32(?,?,00B3EB2C), ref: 00B3D69D
MessageBeep.USER32(00000000), ref: 00B3D70E

Strings

, xrefs: 00B3D653, 00B3D6B5

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-2740779761
Opcode ID: cc5999ccb20f3518cb3f29de13bdb277e33b47dda6f681f37b193ac2fdc79a8e
Instruction ID: cb26911190a5fb8757c9a5baae59a0c2fd3310c34b34ce6fc2a9cdd2e2b31986
Opcode Fuzzy Hash: cc5999ccb20f3518cb3f29de13bdb277e33b47dda6f681f37b193ac2fdc79a8e
Instruction Fuzzy Hash: 14417E70A00219DFCB11DF58E885BA97BF5FF45300F2485EAE429DB251DB30E945EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B0C684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B0C697
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B0C6C7

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

Strings

ComboBox, xrefs: 00B0C60B
ListBox, xrefs: 00B0C643

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: 572b29aa97902e9ef12d0f83dd9a9ec8d30d4598b093afbd92e689e420038774
Instruction ID: be9acb4cc93ded2a714e2f0909800d8e93e49626f7985a9c78ea8d54d381e2fb
Opcode Fuzzy Hash: 572b29aa97902e9ef12d0f83dd9a9ec8d30d4598b093afbd92e689e420038774
Instruction Fuzzy Hash: E621E171A00108AEDB28ABA4C886DFFBFE9DF06350B14465AF422E32E1DB754D0AD710

Uniqueness

Uniqueness Score: -1.00%

Function 00AD38E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B4454E

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

_memset.LIBCMT ref: 00AD3965
_wcscpy.LIBCMT ref: 00AD39B5
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AD39C6

Strings

Line: , xrefs: 00B44578

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ca8462ed77de78e43ccd79a42e40a132b7ec1c8e1a766e1dbd596fa0e1129183
Instruction ID: 2aed37b04e27ce4bd5b0766c609e83079e82189489650433e944392f84d8bfe3
Opcode Fuzzy Hash: ca8462ed77de78e43ccd79a42e40a132b7ec1c8e1a766e1dbd596fa0e1129183
Instruction Fuzzy Hash: 4B31B272409341ABDB21EB64DD52BDA77E8AF54710F40491BF186932A1EFB09748CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00B1E3E6
__swprintf.LIBCMT ref: 00B1E3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B6DBF0), ref: 00B1E43D

Strings

%lu, xrefs: 00B1E3F9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e28718d04311343c7218bed53e94e1c4482489de08c4288452d96b3e2f055cea
Instruction ID: b89819ca06f3f43de1da7117e2f94e24209d8c36d56ab1d00fff548724db1162
Opcode Fuzzy Hash: e28718d04311343c7218bed53e94e1c4482489de08c4288452d96b3e2f055cea
Instruction Fuzzy Hash: 0B21AF35A40208AFCB10EBA4C985EEEB7B8EF49710F1040A9F509E7361DA31EE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D7D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

Part of subcall function 00B0D623: SendMessageTimeoutW.USER32 ref: 00B0D640
Part of subcall function 00B0D623: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0D653
Part of subcall function 00B0D623: GetCurrentThreadId.KERNEL32 ref: 00B0D65A
Part of subcall function 00B0D623: AttachThreadInput.USER32(00000000), ref: 00B0D661

GetFocus.USER32(00B6DBF0), ref: 00B0D7FB

Part of subcall function 00B0D66C: GetParent.USER32(?), ref: 00B0D67A

GetClassNameW.USER32 ref: 00B0D844
EnumChildWindows.USER32 ref: 00B0D86C
__swprintf.LIBCMT ref: 00B0D886

Strings

%s%d, xrefs: 00B0D880

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: d67d781cf8b0517eedbc644c40e380c4ea817eee93834fe05d70cc0bd4303299
Instruction ID: d0ab48ce2af9515adcc3ddf622529fe03dff8707b7057c124a3be88aa5890777
Opcode Fuzzy Hash: d67d781cf8b0517eedbc644c40e380c4ea817eee93834fe05d70cc0bd4303299
Instruction Fuzzy Hash: 7E1184715003056BDB117F948C86FEE3BA9AB44704F0080F5BE09AB1D6DF745945CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00AF80E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00AF869D: __getptd_noexit.LIBCMT ref: 00AF869E

__lock.LIBCMT ref: 00AF811F
InterlockedDecrement.KERNEL32(?), ref: 00AF813C
_free.LIBCMT ref: 00AF814F
InterlockedIncrement.KERNEL32(00EE3A70), ref: 00AF8167

Strings

p:, xrefs: 00AF8155, 00AF815D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID: p:
API String ID: 2704283638-3562399180
Opcode ID: da788869fff5f8bcf62b8319e90ba153750716243b934d86ac03e7a7bca13fd2
Instruction ID: 97278e44369ca98751759d900c785a190d870c4f9c7b2c3008839f7f188fa99c
Opcode Fuzzy Hash: da788869fff5f8bcf62b8319e90ba153750716243b934d86ac03e7a7bca13fd2
Instruction Fuzzy Hash: AE0184319016199BDB11AFE4994677D7370BF05711F040355F614672A1CF3C5842CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00B21726 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 00B217D4
GetPrivateProfileSectionW.KERNEL32 ref: 00B217FD
WritePrivateProfileSectionW.KERNEL32 ref: 00B2183C

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B21861
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B21869

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: b97e4995a0f66dce10911caf3638dd672ced9d72dd52a08a1c3bdef660939d11
Instruction ID: 061d3565ce4c47fd3fbd73f01d739493a6ba8d228cee3f165b9e75ac6750e732
Opcode Fuzzy Hash: b97e4995a0f66dce10911caf3638dd672ced9d72dd52a08a1c3bdef660939d11
Instruction Fuzzy Hash: B9411A75A00205DFCB11EF64CA81AADBBF5EF48314B148099E80AAB361DB35ED41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB736 Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(000000FF), ref: 00AEB749
ScreenToClient.USER32 ref: 00AEB766
GetAsyncKeyState.USER32(00000001), ref: 00AEB78B
GetAsyncKeyState.USER32(00000002), ref: 00AEB799

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 284aa445a71a9fe15ec6bd62e9f7dca54f0922a706f0e1e1343f13d58cf22204
Instruction ID: b53f9aec50a20750fc8d4ff32f666401b5c78e680eca36cc1f3a5606145e3aa6
Opcode Fuzzy Hash: 284aa445a71a9fe15ec6bd62e9f7dca54f0922a706f0e1e1343f13d58cf22204
Instruction Fuzzy Hash: 99418531504259FFDF159F65C888AEABBB4FB45360F204359F825922D0C730AE90DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00B0C156
PostMessageW.USER32(?,00000201,00000001), ref: 00B0C200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B0C208
PostMessageW.USER32(?,00000202,00000000), ref: 00B0C216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B0C21E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a1b8cc966a91bd5e02f2ca1dd5dc442eef01e2aabe33feaf33efd1679a6516d8
Instruction ID: b7684aaeca762849fcb8e213b899e0e6224343e57dfcc72c974980588c6d498f
Opcode Fuzzy Hash: a1b8cc966a91bd5e02f2ca1dd5dc442eef01e2aabe33feaf33efd1679a6516d8
Instruction Fuzzy Hash: 5631AC71900219EBDF14CFA8DE4DA9E3FB5EB04326F1043A9F925AB2D1C7B09915DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B0E9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B0E9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B0EA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B0EA48
_wcsstr.LIBCMT ref: 00B0EA52

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 40f460db68590dbd0576cfff33fff84e5c241e1b70aad2b62094524d21102953
Instruction ID: 2e5cd143c9d02036f6ac9efb8a3b3364e8d8b2eac76ad33890f38469ce94d109
Opcode Fuzzy Hash: 40f460db68590dbd0576cfff33fff84e5c241e1b70aad2b62094524d21102953
Instruction Fuzzy Hash: 22214672304204BAEB259B79DD49E3B7FE8EF49750F0081A9F909DA0D1DE70DC4182A0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB58B Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEB5EB
SelectObject.GDI32(?,00000000), ref: 00AEB5FA
BeginPath.GDI32(?), ref: 00AEB611
SelectObject.GDI32(?,00000000), ref: 00AEB63B

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 1939d85531e13904fe363b4830f128949802a42de45cef1246b0e174d324379b
Instruction ID: b1064bb0cfff377f54717ac3632b8d3db73aac0c8484033c80deb485f0d47104
Opcode Fuzzy Hash: 1939d85531e13904fe363b4830f128949802a42de45cef1246b0e174d324379b
Instruction Fuzzy Hash: 37218070810386EBDB219F1AEE887AA7BF8FB00315F140667F415931E0DB704991EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B8E7 Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32 ref: 00B0B903
GetLastError.KERNEL32(?,00B0B3CB,?,?,?), ref: 00B0B90D
GetProcessHeap.KERNEL32(00000008,?,?,00B0B3CB,?,?,?), ref: 00B0B91C
HeapAlloc.KERNEL32(00000000,?,00B0B3CB,?,?,?), ref: 00B0B923
GetUserObjectSecurity.USER32 ref: 00B0B93A

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 12bc7c1e4ca3571e42bf38af01b76603763209b1bf3280e1a24b44194960978b
Instruction ID: d6327745886d632514b13cba6e349320e9a807f8b1e83eae9e9b44934494bb60
Opcode Fuzzy Hash: 12bc7c1e4ca3571e42bf38af01b76603763209b1bf3280e1a24b44194960978b
Instruction Fuzzy Hash: 6A016971201308BFDB254FA5DC88E6B3FADEF8A765B1005A9F945D32A0DB718C41DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00B0A874
ProgIDFromCLSID.OLE32(?,00000000), ref: 00B0A88F
lstrcmpiW.KERNEL32(?,00000000), ref: 00B0A89D
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00B0A8AD
CLSIDFromString.OLE32(?,?), ref: 00B0A8B9

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9aa665b7bd4439e43254f8f7ae3e09cee00f43844aa6dd65158a9311bc9ad769
Instruction ID: d036746bcebfed1822b3a8e21a9253a2a4ed74e2342d7f7e61bf0c19e93af9be
Opcode Fuzzy Hash: 9aa665b7bd4439e43254f8f7ae3e09cee00f43844aa6dd65158a9311bc9ad769
Instruction Fuzzy Hash: 58014F76600314AFDB215F54DC88B9A7FEDEF44792F1489A4B901D3290DB70DD419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B18355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B18371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B1837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B18387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B18391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B183CD

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: df307501396eff3d6768f6517cf9b6fd5e8a1e259204fd4371001868835c097e
Instruction ID: ac5c11a635d5a15581f56719730ef6f90525b8671d51fbd06a937df93182994a
Opcode Fuzzy Hash: df307501396eff3d6768f6517cf9b6fd5e8a1e259204fd4371001868835c097e
Instruction Fuzzy Hash: 87011B75D00A19DBCF10ABA4E948AEEBBB8FF08B01F440596E551B2150DF709A9087A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B78E Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B0B7A5
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B0B7AF
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B0B7BE
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B0B7C5
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B0B7DB

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f4a41c913d343c8918742dd09b3356478ef8a89c4d2b2d6782ca671513a435ef
Instruction ID: c44a7fe06ac13ab33422d45e4677a4e400a3a36c4f32265f496e31a9e39e476c
Opcode Fuzzy Hash: f4a41c913d343c8918742dd09b3356478ef8a89c4d2b2d6782ca671513a435ef
Instruction Fuzzy Hash: D8F04F712403046FEB211FA5AC89F6B3BACFF8A756F104199F951D7190DB609C42CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B7EF Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B0B806
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B0B810
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0B81F
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0B826
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B0B83C

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: adb748f052a2fdeac76f18b6c2eb8bd39f12752df877f77a5e65f52fab8f0910
Instruction ID: 74d794a2cb7ac0b6021de2d1f56a6cbc5326645c8c2adc8ac82a095380beaf7f
Opcode Fuzzy Hash: adb748f052a2fdeac76f18b6c2eb8bd39f12752df877f77a5e65f52fab8f0910
Instruction Fuzzy Hash: 8FF04975200304AFEB211FA5EC88F6B3BACFF4A756F0041A9F941D71A0DBA09842CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB517 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AEB526
StrokeAndFillPath.GDI32(?,?,00B4F583,00000000,?), ref: 00AEB542
SelectObject.GDI32(?,00000000), ref: 00AEB555
DeleteObject.GDI32 ref: 00AEB568
StrokePath.GDI32(?), ref: 00AEB583

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c2a6d0da7c879293d6780b188aeec649868df73b8cc56666d0cbf2346bc5d22e
Instruction ID: 2c98bfc4f44b7f8f9004b87cb5abe3f5829360abe1820fa09ccd40e4008c3cc7
Opcode Fuzzy Hash: c2a6d0da7c879293d6780b188aeec649868df73b8cc56666d0cbf2346bc5d22e
Instruction Fuzzy Hash: 81F0EC31050746EBDB266F29EE4C7953FE5B701322F188656E4A6861F0CB308996FF20

Uniqueness

Uniqueness Score: -1.00%

Function 00B1503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B6DC40,?,0000000F,0000000C,00000016,00B6DC40,?), ref: 00B1507B

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

Part of subcall function 00ADB8A7: _memmove.LIBCMT ref: 00ADB8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00B150FB

Strings

THIS, xrefs: 00B15139
REMOVE, xrefs: 00B150AC

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: 790c2b82f6753ee5d0769207a3fce215c00278abf0cd3083f2851bba2da98b9e
Instruction ID: 10740fb7cbdc86a29c4959301b9ef03d058c04049a181c79df1e197e1088a032
Opcode Fuzzy Hash: 790c2b82f6753ee5d0769207a3fce215c00278abf0cd3083f2851bba2da98b9e
Instruction Fuzzy Hash: 8B41AD35A00609EFCB11DF64C981AEEB7F5FF88304F5480AAE816AB352DB309D91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D784 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00B91810,00B40327,000000FC,?,00000000,00000000,?,?,?,00B4F381,?,?,?,?,?), ref: 00B3D786
GetFocus.USER32(?,00000000,00000000,?,?,?,00B4F381,?,?,?,?,?), ref: 00B3D78E

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

Part of subcall function 00AEB155: GetWindowLongW.USER32(?,000000EB), ref: 00AEB166

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00B3D800

Strings

, xrefs: 00B3D7C7, 00B3D7D8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID:
API String ID: 3601265619-2740779761
Opcode ID: aaedbfd053b29c7fcc9e95a6bfdd19e5f796b5355fab0272a719c9a4ead94713
Instruction ID: 30edb4ae2288b23f2f3d5006558ca81005cea6ac29e17450793c43c01f90ff79
Opcode Fuzzy Hash: aaedbfd053b29c7fcc9e95a6bfdd19e5f796b5355fab0272a719c9a4ead94713
Instruction Fuzzy Hash: C00152316006019FC7259F28E995B6677E6FB8A320F284BA9E415872A1DB31AC06DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AF2F4E), ref: 00AF304E
GetProcAddress.KERNEL32(00000000), ref: 00AF3055

Strings

combase.dll, xrefs: 00AF3049
RoUninitialize, xrefs: 00AF303D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 1f0472e962bed8c54ba219b30f2c68d3a8ed88470408663855d725c30c67ea9c
Instruction ID: a1ae2a5c22b262e32e55cf1f4561d6658fe38fa6762abee5a607d4579e4c79f1
Opcode Fuzzy Hash: 1f0472e962bed8c54ba219b30f2c68d3a8ed88470408663855d725c30c67ea9c
Instruction Fuzzy Hash: BCE0EC70654314AFEB306F61EE0DB253AA4BB04703F10019AF609F30B0CFB54544CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00B1137B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleaut32.dll,?,00B1135F,?,00B11440), ref: 00B11389
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00B1139B

Strings

oleaut32.dll, xrefs: 00B11384
RegisterTypeLibForUser, xrefs: 00B11395

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegisterTypeLibForUser$oleaut32.dll
API String ID: 2574300362-1071820185
Opcode ID: ab53b2527fa33b11f7db438d17413ab2cbbc25951462fbb1e2a15fe884b6a43d
Instruction ID: 588cc1da330887a69c05604e5a372465629a09989352d239e3e4da758b648f95
Opcode Fuzzy Hash: ab53b2527fa33b11f7db438d17413ab2cbbc25951462fbb1e2a15fe884b6a43d
Instruction Fuzzy Hash: FED0A930800B12AFD7302F38F80878236E8EF04B0AF1448E9E5A5E2670DAB0C8C0DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AEE69C,74CB4970,00AEE5AC,00B6DC28,?,?), ref: 00AEE6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AEE6C6

Strings

GetNativeSystemInfo, xrefs: 00AEE6C0
kernel32.dll, xrefs: 00AEE6AF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 59b0d2ff698e7ad45d754cbd36d0cf6a4cc688fe29d71b3ac9e631c2a7438a77
Instruction ID: cdaa7b32b66f87e363a5d6982ace4414f3c3f5dff3f7dc77c1dce7bfad1eb13d
Opcode Fuzzy Hash: 59b0d2ff698e7ad45d754cbd36d0cf6a4cc688fe29d71b3ac9e631c2a7438a77
Instruction Fuzzy Hash: 18D0A934800B128FD730AF32E80870236E8AB24303B0055AAE885E2270DBB0C880CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AEE6D9,?,00AEE55B,00B6DC28,?,?), ref: 00AEE6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00AEE703

Strings

IsWow64Process, xrefs: 00AEE6FD
kernel32.dll, xrefs: 00AEE6EC

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: db08befb7332769e7b0b8b617e63dfbe0d6a45a6f74be22e0196e72b0eeb844c
Instruction ID: 6051a6e3b7176b2cd64885d286d902b1105e0efc266ac804e6932e5b2ad11ae3
Opcode Fuzzy Hash: db08befb7332769e7b0b8b617e63dfbe0d6a45a6f74be22e0196e72b0eeb844c
Instruction Fuzzy Hash: 07D0C974500B529FD730BF76E85D7477BE8BB04716B1055AAE895E3271DBB0C880CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c666fe6e780b60b22ccf1b199f43bea9866a0c74e56771863c7ae4025e2c3b9d
Instruction ID: 323308d43d33646ad6362cbe291da648220e82cf52f592a13a3047a2fa83a381
Opcode Fuzzy Hash: c666fe6e780b60b22ccf1b199f43bea9866a0c74e56771863c7ae4025e2c3b9d
Instruction Fuzzy Hash: AEC14D75A00216EFCB14DF94C984EAEBBB5FF48700F1089D9E902AB291D770EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADC320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADC419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00B16653,?,?,00000000), ref: 00ADC495

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: f1aa2ac400d3893434e0b1a4591fd09c3e3626b3dfd903ead5673ed385a887ea
Instruction ID: e66e0f7247b007a266ce1844daaf14cd818631962b95599befeed5b4ffb7fac1
Opcode Fuzzy Hash: f1aa2ac400d3893434e0b1a4591fd09c3e3626b3dfd903ead5673ed385a887ea
Instruction Fuzzy Hash: CCA1ED70A0461AEBDF00CF65C984BA9FBB0FF05310F54C296E8669B391D731EA60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF4347
_memcpy_s.LIBCMT ref: 00AF43B9
__filbuf.LIBCMT ref: 00AF443A
_memset.LIBCMT ref: 00AF447E

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
Instruction ID: 9ef4c82505c3357614d6739c7a4e2b5d8c2476c2369c2d8ad204d31f6295abd5
Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
Instruction Fuzzy Hash: 9251B330A0030DDBDB249FF989806BF77B5AF48361F248729FA75AA2D0D7709E519B40

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D206 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B0D258
__itow.LIBCMT ref: 00B0D292

Part of subcall function 00B0D4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B0D549

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B0D2FB
__itow.LIBCMT ref: 00B0D350

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d6e93dcc4eeeecb62504097839ea17209680f3aadfda5322f330ede56b7e8a0a
Instruction ID: 345ff23002bf50d52a0cb0bea0488c7e33fd74e13b1b41cc65e39f075681dc61
Opcode Fuzzy Hash: d6e93dcc4eeeecb62504097839ea17209680f3aadfda5322f330ede56b7e8a0a
Instruction Fuzzy Hash: 6B418275A00209ABDF15EF94C952BEE7FF9AF48710F00005AFA06A72D1DB709A45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B14497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,749173F0,?,00008000), ref: 00B144EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B1450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00B1456A
SendInput.USER32(00000001,?,0000001C,749173F0,?,00008000), ref: 00B145C8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b45026d06f9a5e81933d137b7a6114dd039d18022c86abcf2433a357a8fa2da0
Instruction ID: c051475087486f217de372b7415186c798820cf4bdb00e78300efbdc9e618ea9
Opcode Fuzzy Hash: b45026d06f9a5e81933d137b7a6114dd039d18022c86abcf2433a357a8fa2da0
Instruction Fuzzy Hash: A3310671A002589FEF309B649818BFE7BE6DB66715F8402DAF081531C1DB748EC5D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B118E8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B118FD,?,?,?,00B126BC,00000000,000000EF,00000119,?,?), ref: 00B12CB9
Part of subcall function 00B12CAA: lstrcpyW.KERNEL32 ref: 00B12CDF
Part of subcall function 00B12CAA: lstrcmpiW.KERNEL32(00000000,?,00B118FD,?,?,?,00B126BC,00000000,000000EF,00000119,?,?), ref: 00B12D10

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B126BC,00000000,000000EF,00000119,?,?,00000000), ref: 00B11916

Part of subcall function 00AF010A: _malloc.LIBCMT ref: 00AF0122

lstrcpyW.KERNEL32 ref: 00B1193C
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B126BC,00000000,000000EF,00000119,?,?,00000000), ref: 00B11970

Strings

cdecl, xrefs: 00B11967

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen$_malloc
String ID: cdecl
API String ID: 3850814276-3896280584
Opcode ID: 9c191d619319175d0130aa239079df977b13d1bf72c1e93c4da9db131e1bde82
Instruction ID: 67149db270c2c5b1e3eb82ca4500ee3d977be278befdade9d3661f18d62daaa6
Opcode Fuzzy Hash: 9c191d619319175d0130aa239079df977b13d1bf72c1e93c4da9db131e1bde82
Instruction Fuzzy Hash: E511D636100305AFDB15AF78C855EBA77F5FF45350B8085AAF906CB164EB319891C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B1715C
_memset.LIBCMT ref: 00B1717D
DeviceIoControl.KERNEL32 ref: 00B171CF
CloseHandle.KERNEL32(00000000), ref: 00B171D8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 0345ceb4c1bb6e2e25bdefa9dd4d3e39e6a5a0e914b216a79f71c261ff247341
Instruction ID: df855e11c64946ea240781e627485aa2b667e657bdd55c532f0b10544d36c2f8
Opcode Fuzzy Hash: 0345ceb4c1bb6e2e25bdefa9dd4d3e39e6a5a0e914b216a79f71c261ff247341
Instruction Fuzzy Hash: 3D11CA759413287AD7309BA5AC4DFEBBABCEF45760F1042DAF504E71D0D6744E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B113D1 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B113EE
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B11409
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B1141F
FreeLibrary.KERNEL32(?), ref: 00B11474

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Type$FileFreeLibraryLoadModuleNameRegister
String ID:
API String ID: 3137044355-0
Opcode ID: f728e93a9cf4d702ad5565544550fc23cd490d392583955ad27f0fd86fde02ed
Instruction ID: 2e2c2a7762b200e4e8ba6b7997a484f64cfd2c81192243ea2785f65ab401db3d
Opcode Fuzzy Hash: f728e93a9cf4d702ad5565544550fc23cd490d392583955ad27f0fd86fde02ed
Instruction Fuzzy Hash: 7A217271500309ABDB209F99DC88ADABBF8EF00B44F5089A9A61297250DB74EA84DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B0C285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C2C8

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f3fc47b0c9a0dcf74d13020d8e9d9fac1b522d08a2dfa9053d3b1da10569b739
Instruction ID: 63ee7517c7282ad42533016c7412bf511e136cc2b385b7650dfa9f7ebd7d5e60
Opcode Fuzzy Hash: f3fc47b0c9a0dcf74d13020d8e9d9fac1b522d08a2dfa9053d3b1da10569b739
Instruction Fuzzy Hash: 8011157A940218FFEB11DBE8C885E9DBBB8FB48710F204191EA05B7294D771AE11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AEC657
GetStockObject.GDI32(00000011), ref: 00AEC66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEC675

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 076cb4dc6fe957adbd1d644168b925812dfcbc562490be6ad99663b68771cf58
Instruction ID: b23c59047f1938bf8f7d4dd46623b77b3f64eb7f6cd19c48de9daca8b17d9c5a
Opcode Fuzzy Hash: 076cb4dc6fe957adbd1d644168b925812dfcbc562490be6ad99663b68771cf58
Instruction Fuzzy Hash: 8211C072501689BFDF124FA5CC51EEBBB69FF09364F051211FA0496120DB32DC61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B149D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B149EE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A13
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A1D
Sleep.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A50

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 527ed108370919d3cf6053bd7037ca8e63ccd45555cb618e669928362ecb7d01
Instruction ID: d34fbbf1cc21ef31aa0539cea61174abe0679c06b272572a02c0d4ab4ba77b3a
Opcode Fuzzy Hash: 527ed108370919d3cf6053bd7037ca8e63ccd45555cb618e669928362ecb7d01
Instruction Fuzzy Hash: CB114831D40618DBCF00AFA5EA88AEEBBB8FF09701F464195E941B6140CB309590CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00AF8768

Part of subcall function 00AF8984: __mtinitlocknum.LIBCMT ref: 00AF8996
Part of subcall function 00AF8984: EnterCriticalSection.KERNEL32(00AF0127,?,00AF876D,0000000D), ref: 00AF89AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00AF8775
__lock.LIBCMT ref: 00AF8789
___addlocaleref.LIBCMT ref: 00AF87A7

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 14a70925ff1a1847761f0cb9a3624a1e5d21a6f0d926ec1f509594efb59a3ebb
Instruction ID: 23b68a076414ee18a73a5ede36ee7ff491c2dfee50bb541120698fd79ff022e8
Opcode Fuzzy Hash: 14a70925ff1a1847761f0cb9a3624a1e5d21a6f0d926ec1f509594efb59a3ebb
Instruction Fuzzy Hash: 00016D72410B049FE720EFA5C945769B7F0EF40325F20894EF599972A0DFB4A640CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3E14D
_memset.LIBCMT ref: 00B3E15C
CreateProcessW.KERNEL32 ref: 00B3E18B
CloseHandle.KERNEL32 ref: 00B3E19D

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 105d132f25d28ca63863eae550cfa01085f9662867ea6db653ab27aae05c55eb
Instruction ID: 86d453b8a909a94f11ce73ddf86cc2241a9b1bf599b970fa319b97bdfccc759d
Opcode Fuzzy Hash: 105d132f25d28ca63863eae550cfa01085f9662867ea6db653ab27aae05c55eb
Instruction Fuzzy Hash: DEF05EF2940305BEE6205B65AD46F777AECDB09B95F004462FA04E61A2DBB69E0086B4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEB5EB
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB5FA
Part of subcall function 00AEB58B: BeginPath.GDI32(?), ref: 00AEB611
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3E860
LineTo.GDI32(00000000,?,?), ref: 00B3E86D
EndPath.GDI32(00000000), ref: 00B3E87D
StrokePath.GDI32(00000000), ref: 00B3E88B

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6cd40fa5eb4bfa772a4d1880d113526fc7e672962978958f4f5298b57a782657
Instruction ID: 1e44389958b41fea30cb7ce7dd4260a5a7ba8d1c8fd8349d2af39fa112bc2a0c
Opcode Fuzzy Hash: 6cd40fa5eb4bfa772a4d1880d113526fc7e672962978958f4f5298b57a782657
Instruction Fuzzy Hash: D9F0823100135ABBDB226F54AD0DFCE3F99AF06312F148282FA21620E18B759551DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0D623 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00B0D640
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0D653
GetCurrentThreadId.KERNEL32 ref: 00B0D65A
AttachThreadInput.USER32(00000000), ref: 00B0D661

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 863d53f38254aaa42d9e716580e02356c1f0c77e749b52cc5d24ead58b375811
Instruction ID: 889d39a868ecb0eb98869082273f909364a3222249098b1deee4536459d52840
Opcode Fuzzy Hash: 863d53f38254aaa42d9e716580e02356c1f0c77e749b52cc5d24ead58b375811
Instruction Fuzzy Hash: 85E0C971541328BADB206FA29C0DFDB7F5CEF567A2F408191B60D960A0CAB69581CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B0C071
UnloadUserProfile.USERENV(?,?), ref: 00B0C07D
CloseHandle.KERNEL32(?), ref: 00B0C086
CloseHandle.KERNEL32(?), ref: 00B0C08E

Part of subcall function 00B0B850: GetProcessHeap.KERNEL32(00000000,?,00B0B574), ref: 00B0B857
Part of subcall function 00B0B850: HeapFree.KERNEL32(00000000), ref: 00B0B85E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f78e29f1c4dd4c346f31cd0336556b1569c01e5c9a2bbcf9a2f9cf0624018d14
Instruction ID: cbea2555954b8d1f469e0931a928f476e492a03e328c8d87b687842a6730393b
Opcode Fuzzy Hash: f78e29f1c4dd4c346f31cd0336556b1569c01e5c9a2bbcf9a2f9cf0624018d14
Instruction Fuzzy Hash: 89E0BF36114606BBCB112F95DD08959FF66FF493223108365F61592570CF326871EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD3BCF: _wcscpy.LIBCMT ref: 00AD3BF2

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

__wcsnicmp.LIBCMT ref: 00B1E785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B1E84E

Strings

LPT, xrefs: 00B1E77F

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 9748046c109c8e05a05fd5bc3351e2d0395b3db78a57378ab16cbc266034172c
Instruction ID: 42f067722ca85697813c570b9ce5b06a8dbedccf4d0a93e866dea9bca9c1395c
Opcode Fuzzy Hash: 9748046c109c8e05a05fd5bc3351e2d0395b3db78a57378ab16cbc266034172c
Instruction Fuzzy Hash: 7D617E75A00215AFDB14DB94C995EEEB7F4EF48310F4440AAF956AB391DB70EE80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C1EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

, xrefs: 00B3C216

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-2740779761
Opcode ID: 0062af5ed9b297c9fc1761933dd845a9838eed15bfe63a11b8a9f2af35618451
Instruction ID: 12a727fc4f46a1ad83204a75d8b8187713e4fec8378c097ecc75125f5a9fc18b
Opcode Fuzzy Hash: 0062af5ed9b297c9fc1761933dd845a9838eed15bfe63a11b8a9f2af35618451
Instruction Fuzzy Hash: 7A118B35150609BEEF148FD88D45FBA3FE5EB05750F2081A5FA16FA1D1D6B0DA20EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B0C5E5

Strings

ComboBox, xrefs: 00B0C581
ListBox, xrefs: 00B0C5AF

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 03d1c03a1a98d5db2e21d23ccf7b854333d5d0574c8c90634fff738ffc2be220
Instruction ID: 5ec787c878cabac928aa4a85404bd9b54956e78ca192a0e0d49501bd9b44eff2
Opcode Fuzzy Hash: 03d1c03a1a98d5db2e21d23ccf7b854333d5d0574c8c90634fff738ffc2be220
Instruction Fuzzy Hash: F401B575611118ABCB08EBA4CD529FE7BEAAF523507140B5AF833E72E1DB30A909D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B1C4EF
__fread_nolock.LIBCMT ref: 00B1C504

Strings

EA06, xrefs: 00B1C532

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 637d43889a164c865b67cdc62044b6816b8bfbffa3d91bbe771403b1bf015e71
Instruction ID: 378be5b5ba50236d80f32e7b2c45d4010ca2e4103f9ab4ecf0461c8a801e6e1f
Opcode Fuzzy Hash: 637d43889a164c865b67cdc62044b6816b8bfbffa3d91bbe771403b1bf015e71
Instruction Fuzzy Hash: 4F01B572944258AEDB28DBA8C856EFE7BF89B15711F00419AF193D6181E5B4A708CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B0C4E1

Strings

ComboBox, xrefs: 00B0C47D
ListBox, xrefs: 00B0C4AB

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 8c5934ea23f71b57ddfb198b14a75c97ff9377a1299897ca5bc1dc1b80aefffb
Instruction ID: ac88da74fd343890d1f944c930b360bb5a517830cc441ddd0567f1d8f165f135
Opcode Fuzzy Hash: 8c5934ea23f71b57ddfb198b14a75c97ff9377a1299897ca5bc1dc1b80aefffb
Instruction Fuzzy Hash: BF01D4716411086BC704EBA0CA62AFF3BED9F01740F140156E503E32E1DB109E09D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B0C562

Strings

ComboBox, xrefs: 00B0C500
ListBox, xrefs: 00B0C52E

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 51e45ef4ed74b5cdc1dc50fd6cfa6769fc847dfd9147100e14012a6b02fba9db
Instruction ID: 2bb1a1d4bb62bfce01f486390429bef8fa65647dbb68895997707362c4a2361a
Opcode Fuzzy Hash: 51e45ef4ed74b5cdc1dc50fd6cfa6769fc847dfd9147100e14012a6b02fba9db
Instruction Fuzzy Hash: C301DF75A001086BCB04EBA4CE53AFF3BED9B11741B140256B503E32E1DA209E099661

Uniqueness

Uniqueness Score: -1.00%

Function 00B3F0A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00B4F352,?,?,?), ref: 00B3F115

Part of subcall function 00AEB155: GetWindowLongW.USER32(?,000000EB), ref: 00AEB166

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B3F0FB

Strings

, xrefs: 00B3F0DA

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID:
API String ID: 982171247-2740779761
Opcode ID: 937630a74c8fdfb651d164b1e0cfa4f0f8c3d335a7b5c9cccbc41d1a381adb29
Instruction ID: 3ec35e0d85bc5ced5219bdcb36cb3c977b7be1331bb5a3776e7cbd46c99f1629
Opcode Fuzzy Hash: 937630a74c8fdfb651d164b1e0cfa4f0f8c3d335a7b5c9cccbc41d1a381adb29
Instruction Fuzzy Hash: 1701B531200605EBCB219F18EC95F673BA6FB85364F2445A4F8151B2A1CB319802EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00B1806A
_wcscmp.LIBCMT ref: 00B1807C

Strings

#32770, xrefs: 00B18076

Memory Dump Source

Source File: 00000000.00000002.277398639.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000000.00000002.277390476.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277503016.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277588590.0000000000B8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277616827.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_file.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 7b13e0f1b3bc28febf4b526bd7bb4af596d79060f0a8c9b4e6754b768a4c1d2d
Instruction ID: 6d633a2145aed26a93f409d1e6ddf1b19b77739cadad466a05fae436eb9ed69d
Opcode Fuzzy Hash: 7b13e0f1b3bc28febf4b526bd7bb4af596d79060f0a8c9b4e6754b768a4c1d2d
Instruction Fuzzy Hash: 9EE0D13350032927D720EA959C49FD7FBECFB51B64F000056F514D3151EA709645C7D0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.exePID: 4788, Parent PID: 3988COMMON

Non-executed Functions

Function 00B16B3F Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 164filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00AD31DA

Part of subcall function 00B17B9F: __wsplitpath.LIBCMT ref: 00B17BBC
Part of subcall function 00B17B9F: __wsplitpath.LIBCMT ref: 00B17BCF

Part of subcall function 00B17C0C: GetFileAttributesW.KERNEL32(?,00B16A7B), ref: 00B17C0D

_wcscat.LIBCMT ref: 00B16B9D
_wcscat.LIBCMT ref: 00B16BBB
__wsplitpath.LIBCMT ref: 00B16BE2
FindFirstFileW.KERNEL32(?,?), ref: 00B16BF8
_wcscpy.LIBCMT ref: 00B16C57
_wcscat.LIBCMT ref: 00B16C6A
_wcscat.LIBCMT ref: 00B16C7D
lstrcmpiW.KERNEL32(?,?), ref: 00B16CAB
DeleteFileW.KERNEL32(?), ref: 00B16CBC
MoveFileW.KERNEL32(?,?), ref: 00B16CDB
MoveFileW.KERNEL32(?,?), ref: 00B16CEA
CopyFileW.KERNEL32(?,?,00000000), ref: 00B16CFF
DeleteFileW.KERNEL32(?), ref: 00B16D10
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B16D37
FindClose.KERNEL32(00000000), ref: 00B16D53
FindClose.KERNEL32(00000000), ref: 00B16D61

Strings

\*.*, xrefs: 00B16B8C, 00B16B9B, 00B16BB9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
String ID: \*.*
API String ID: 1867810238-1173974218
Opcode ID: 065945020f7e01946f961bed4734a67837c47b1e8112f91fc45b8d31f4397777
Instruction ID: 00d1e12a496fac9a8b5d03360dab1cf9d4f311090fb76778cbddf86c71694a98
Opcode Fuzzy Hash: 065945020f7e01946f961bed4734a67837c47b1e8112f91fc45b8d31f4397777
Instruction Fuzzy Hash: D8512F7290425CAADF21EBA0DC85FEE77BCAF05300F4445E6E549A3041EB359B89CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B27099 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B6DBF0), ref: 00B270C3
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B270D1
GetClipboardData.USER32 ref: 00B270D9
CloseClipboard.USER32 ref: 00B270E5
GlobalLock.KERNEL32 ref: 00B27101
CloseClipboard.USER32 ref: 00B2710B
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B27120
IsClipboardFormatAvailable.USER32(00000001), ref: 00B2712D
GetClipboardData.USER32 ref: 00B27135
GlobalLock.KERNEL32 ref: 00B27142
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00B27176
CloseClipboard.USER32(00000001,00000000), ref: 00B27283

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: a84dcb1088019b60ad7da86537e8af5c1e47c8bc1c8e990e1eb8a8e6db4d8f74
Instruction ID: 4ecea5b7eb4fa15815540c7697f3dacafa42cc16289591667f0563ccea3cd786
Opcode Fuzzy Hash: a84dcb1088019b60ad7da86537e8af5c1e47c8bc1c8e990e1eb8a8e6db4d8f74
Instruction Fuzzy Hash: CC51C531248311ABD310EF60EC96F6E77E8AF44B02F00069AF54AD72E1EF71D9058B26

Uniqueness

Uniqueness Score: -1.00%

Function 00B22044 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,000B79F6,?,00000000), ref: 00B22065
_wcscmp.LIBCMT ref: 00B2207A
_wcscmp.LIBCMT ref: 00B22091
GetFileAttributesW.KERNEL32(?), ref: 00B220A3
SetFileAttributesW.KERNEL32(?,?), ref: 00B220BD
FindNextFileW.KERNEL32(00000000,?), ref: 00B220D5
FindClose.KERNEL32(00000000), ref: 00B220E0
FindFirstFileW.KERNEL32(*.*,?), ref: 00B220FC
_wcscmp.LIBCMT ref: 00B22123
_wcscmp.LIBCMT ref: 00B2213A
SetCurrentDirectoryW.KERNEL32(?), ref: 00B2214C
SetCurrentDirectoryW.KERNEL32(00B83A68), ref: 00B2216A
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B22174
FindClose.KERNEL32(00000000), ref: 00B22181
FindClose.KERNEL32(00000000), ref: 00B22191

Strings

*.*, xrefs: 00B220F7

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 099c344286c6d0f67172a1510a5cb43c57a28bbd23b83230479d48bec54d2afc
Instruction ID: 94c0bb75f990c66d5c0034f26d1104589d4c0bf6bd8b89ea949b31bfb974c372
Opcode Fuzzy Hash: 099c344286c6d0f67172a1510a5cb43c57a28bbd23b83230479d48bec54d2afc
Instruction Fuzzy Hash: 6A3180319002297ADB24EBA4EC49FEE77ECDF09351F1441D6FA14E30A0EA74DA94CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B2219F Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,000B79F6,?,00000000), ref: 00B221C0
_wcscmp.LIBCMT ref: 00B221D5
_wcscmp.LIBCMT ref: 00B221EC

Part of subcall function 00B17606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B17621

FindNextFileW.KERNEL32(00000000,?), ref: 00B2221B
FindClose.KERNEL32(00000000), ref: 00B22226
FindFirstFileW.KERNEL32(*.*,?), ref: 00B22242
_wcscmp.LIBCMT ref: 00B22269
_wcscmp.LIBCMT ref: 00B22280
SetCurrentDirectoryW.KERNEL32(?), ref: 00B22292
SetCurrentDirectoryW.KERNEL32(00B83A68), ref: 00B222B0
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B222BA
FindClose.KERNEL32(00000000), ref: 00B222C7
FindClose.KERNEL32(00000000), ref: 00B222D7

Strings

*.*, xrefs: 00B2223D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ae8c02818ddb5cf5ba39d4ec285814a978fbaf744b401ca9541cdfa1e69ba1a3
Instruction ID: 1a7e2f84d8112d62cfbfa46007270b798d279ba6eea92186d99060b7ae1d61d2
Opcode Fuzzy Hash: ae8c02818ddb5cf5ba39d4ec285814a978fbaf744b401ca9541cdfa1e69ba1a3
Instruction Fuzzy Hash: E7318231901629BACB24EBA4EC48FDE77ECDF45321F1402D5E914E31A0EA75DE85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B16E4A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 85fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00AD31DA

Part of subcall function 00B17C0C: GetFileAttributesW.KERNEL32(?,00B16A7B), ref: 00B17C0D

_wcscat.LIBCMT ref: 00B16E7E
__wsplitpath.LIBCMT ref: 00B16E99
FindFirstFileW.KERNEL32(?,?), ref: 00B16EAE
_wcscpy.LIBCMT ref: 00B16EDD
_wcscat.LIBCMT ref: 00B16EEF
_wcscat.LIBCMT ref: 00B16F01
DeleteFileW.KERNEL32(?), ref: 00B16F0E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B16F22
FindClose.KERNEL32(00000000), ref: 00B16F3D

Strings

\*.*, xrefs: 00B16E78

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
String ID: \*.*
API String ID: 2643075503-1173974218
Opcode ID: 9bbe179b6c764e4cc71718b96a4cec6931ad3386bea2b14d2fcdbdb24f1870c9
Instruction ID: a3d3ef2a16ae7ad6493c566afcda5bbfe3dc0824d60932750ccbf86f394c8ec9
Opcode Fuzzy Hash: 9bbe179b6c764e4cc71718b96a4cec6931ad3386bea2b14d2fcdbdb24f1870c9
Instruction Fuzzy Hash: 7521C372408348AEC620EBE0D8849EBBBDC9F59214F444A9AF5D4C3051EA30D64D87A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B330AD Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B33AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32AA6,?,?), ref: 00B33B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3317F

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B3321E
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B332B6
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B334F5
RegCloseKey.ADVAPI32(00000000), ref: 00B33502

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 40912ecffbf385eeb8d18ca75a1a9118ab2b47c47885f778f797969e47f18259
Instruction ID: 119fe65071b8a32f0754db4ad6198ee846175bb820ba631b139c7a13e2742b34
Opcode Fuzzy Hash: 40912ecffbf385eeb8d18ca75a1a9118ab2b47c47885f778f797969e47f18259
Instruction Fuzzy Hash: 08E14D71204200AFC715DF29C991E2BBBE8EF88714F1485ADF44ADB361DA31EE45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B27294 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B272BB
EmptyClipboard.USER32 ref: 00B272C1
GlobalAlloc.KERNEL32(00000002,?), ref: 00B272D6
CloseClipboard.USER32 ref: 00B27375

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ca0373f1304caecbe72eb017bbc925a5d6ac90482437375b327e9eee82b1e3a7
Instruction ID: 775c14d0fb0595223f3e2c70a4519c09ecbd1731cc4eb6ecc4712e833c962813
Opcode Fuzzy Hash: ca0373f1304caecbe72eb017bbc925a5d6ac90482437375b327e9eee82b1e3a7
Instruction Fuzzy Hash: FF21E531244220EFD710AF64ED49B6D7BE8EF04311F00819AF90ADB261DF75ED428B99

Uniqueness

Uniqueness Score: -1.00%

Function 00B224A9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B224F6
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B22526
_wcscmp.LIBCMT ref: 00B2253A
_wcscmp.LIBCMT ref: 00B22555
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B225F3
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B22609

Strings

*.*, xrefs: 00B224D8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: c7cdf5a069d86822c2a0f33fcb665e185bf21293467889e8f35299c3ad7b910c
Instruction ID: 688592c107b11bf3d52bf639ae8450a81f9999035ac7e803f89e0dfe6fbcd3d8
Opcode Fuzzy Hash: c7cdf5a069d86822c2a0f33fcb665e185bf21293467889e8f35299c3ad7b910c
Instruction Fuzzy Hash: D3416D7190421AAFCF25DFA4DD59AEEBBF4FF14310F144496E819E2291EB309A84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B182D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0BEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B0BF0F
Part of subcall function 00B0BEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B0BF3C
Part of subcall function 00B0BEC3: GetLastError.KERNEL32 ref: 00B0BF49

ExitWindowsEx.USER32(?,00000000), ref: 00B1830C

Strings

, xrefs: 00B182FA
SeShutdownPrivilege, xrefs: 00B182DA
@, xrefs: 00B182FF

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7fa20f52ad34b2cefe9411be83e06f65faeb0761656652d5517dfbb85ebfbb89
Instruction ID: 25723e4fbbab465eae2d3d41a7f3b23e0b6bfa342d37b6851a56f22e71fbdd1c
Opcode Fuzzy Hash: 7fa20f52ad34b2cefe9411be83e06f65faeb0761656652d5517dfbb85ebfbb89
Instruction Fuzzy Hash: C1018471640311ABE7692678AC8AFFB76D8FB04F81F5809E4F963D60D1DE609C8181A8

Uniqueness

Uniqueness Score: -1.00%

Function 00B16F5B Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B16F7D
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00B16F8D
Process32NextW.KERNEL32(00000000,0000022C), ref: 00B16FAC
__wsplitpath.LIBCMT ref: 00B16FD0
_wcscat.LIBCMT ref: 00B16FE3
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00B17022

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
String ID:
API String ID: 1605983538-0
Opcode ID: 2b4d4aa03b9453ed2d4b6431cb3f1eedadde6182e6e85977fc39bfaae4a5f030
Instruction ID: efd1d8feaa728717f8b2f37b1c0abbff1aaa8e776061b1f0408619fc9d1816f7
Opcode Fuzzy Hash: 2b4d4aa03b9453ed2d4b6431cb3f1eedadde6182e6e85977fc39bfaae4a5f030
Instruction Fuzzy Hash: 77213071904219ABDB21ABA0CC88BEAB7F8AB48300F5004E9F645E3141EB759AC4CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EA85 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1EA95
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B1EAEF
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B1EB3C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d3969e44e9ed21166a7745e98d168b0108c8d9e9f7997b5bad1078b5bd8839e1
Instruction ID: 956277f52936c02c60a82e40166d01c49accf9f9ae97ede91656ea193833524f
Opcode Fuzzy Hash: d3969e44e9ed21166a7745e98d168b0108c8d9e9f7997b5bad1078b5bd8839e1
Instruction Fuzzy Hash: 60215C75A00608EFCB00DFA5D995AEEBBB8FF48310F1480A9E805AB351DB31E955CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B2703C Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B27057

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 51603510691ce73e223496dd0006ca42ccc2ed544994dca6952e1b67c686f4b9
Instruction ID: 9213d90fa901edee90be3c6d3c27b325f13b1eb581913323b33158b5d9a65398
Opcode Fuzzy Hash: 51603510691ce73e223496dd0006ca42ccc2ed544994dca6952e1b67c686f4b9
Instruction Fuzzy Hash: 9BE048352542155FD710DFA9D908E96F7EDEF54750F008467FA49D7351DEB0E8048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C146 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00B4C158

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 03758fd2fbde94e3c4c4085d2123b94d42425d96b917221893d620127a89a098
Instruction ID: 41bcab160d1e20379abd2aeb4d3d86350865a983c2f9412fa8b025d7acae39f6
Opcode Fuzzy Hash: 03758fd2fbde94e3c4c4085d2123b94d42425d96b917221893d620127a89a098
Instruction Fuzzy Hash: 7AC002B14041099BC715CB80C985AAAB6BCAB04301F144595A215E2040DB709B459B61

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A750 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filememorywindowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00B2A7A5
DeleteObject.GDI32(?), ref: 00B2A7B7
DestroyWindow.USER32 ref: 00B2A7C5
GetDesktopWindow.USER32 ref: 00B2A7DF
GetWindowRect.USER32 ref: 00B2A7E6
SetRect.USER32 ref: 00B2A927
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B2A937
CreateWindowExW.USER32 ref: 00B2A97F
GetClientRect.USER32(00000000,?), ref: 00B2A98B
CreateWindowExW.USER32 ref: 00B2A9C5
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2A9E7
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2A9FA
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA05
GlobalLock.KERNEL32 ref: 00B2AA0E
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA1D
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA26
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA2D
GlobalFree.KERNEL32 ref: 00B2AA38
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA4A
#418.OLEAUT32(88C00000,00000000,00000000,00B5D9BC,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AA60
GlobalFree.KERNEL32 ref: 00B2AA70
CopyImage.USER32 ref: 00B2AA96
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B2AAB5
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2AAD7
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B2ACC4

Strings

static, xrefs: 00B2A9BF, 00B2AB16
DISPLAY, xrefs: 00B2AB27
AutoIt v3, xrefs: 00B2A977
, xrefs: 00B2AC4A

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$#418AdjustAllocClientCloseCopyDesktopDestroyHandleImageLockMessageReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2158968032-2373415609
Opcode ID: 3c17625af27d34e39a943184c5a2f20359655438b6b180e1a8efc53381323792
Instruction ID: 8b52c6fc8f4cd9c860edfd94ac3073bbdbaf7f4eaec9fa00e90f9ace36552ab6
Opcode Fuzzy Hash: 3c17625af27d34e39a943184c5a2f20359655438b6b180e1a8efc53381323792
Instruction Fuzzy Hash: EB028071900215EFDB14DF68DD89EAE7BB9FB48311F008699F915EB2A1DB309D41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D095 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B3D0EB
GetSysColorBrush.USER32(0000000F), ref: 00B3D11C
GetSysColor.USER32(0000000F), ref: 00B3D128
SetBkColor.GDI32(?,000000FF), ref: 00B3D142
SelectObject.GDI32(?,00000000), ref: 00B3D151
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D17C
GetSysColor.USER32(00000010), ref: 00B3D184
CreateSolidBrush.GDI32(00000000), ref: 00B3D18B
FrameRect.USER32 ref: 00B3D19A
DeleteObject.GDI32(00000000), ref: 00B3D1A1
InflateRect.USER32(?,000000FE,000000FE), ref: 00B3D1EC
FillRect.USER32 ref: 00B3D21E
GetWindowLongW.USER32(?,000000F0), ref: 00B3D249

Part of subcall function 00B3D385: GetSysColor.USER32(00000012), ref: 00B3D3BE
Part of subcall function 00B3D385: SetTextColor.GDI32(?,?), ref: 00B3D3C2
Part of subcall function 00B3D385: GetSysColorBrush.USER32(0000000F), ref: 00B3D3D8
Part of subcall function 00B3D385: GetSysColor.USER32(0000000F), ref: 00B3D3E3
Part of subcall function 00B3D385: GetSysColor.USER32(00000011), ref: 00B3D400
Part of subcall function 00B3D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3D40E
Part of subcall function 00B3D385: SelectObject.GDI32(?,00000000), ref: 00B3D41F
Part of subcall function 00B3D385: SetBkColor.GDI32(?,00000000), ref: 00B3D428
Part of subcall function 00B3D385: SelectObject.GDI32(?,?), ref: 00B3D435
Part of subcall function 00B3D385: InflateRect.USER32(?,000000FF,000000FF), ref: 00B3D454
Part of subcall function 00B3D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3D46B
Part of subcall function 00B3D385: GetWindowLongW.USER32(00000000,000000F0), ref: 00B3D480
Part of subcall function 00B3D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3D4A8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9c4f9045953420ae4e6d78ca1271a51822d57bc893e816177fd7d51699661020
Instruction ID: ad164354fe051ac95d2dde529c5d0153820cba924fe1ad06ed2357691f592e71
Opcode Fuzzy Hash: 9c4f9045953420ae4e6d78ca1271a51822d57bc893e816177fd7d51699661020
Instruction Fuzzy Hash: 91915C71408701AFD7219F64EC48F5BBBE9FB89322F200B59F962A71A0DB71D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AD48C8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00AD4956
DeleteObject.GDI32(00000000), ref: 00AD4998
DeleteObject.GDI32(00000000), ref: 00AD49A3
DestroyIcon.USER32(00000000), ref: 00AD49AE
DestroyWindow.USER32(00000000), ref: 00AD49B9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B4E179
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B4E1B2
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B4E5E0

Part of subcall function 00AD49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AD4954,?), ref: 00AD4A23

SendMessageW.USER32 ref: 00B4E627
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B4E63E
ImageList_Destroy.COMCTL32(00000000), ref: 00B4E654
ImageList_Destroy.COMCTL32(00000000), ref: 00B4E65F

Strings

0, xrefs: 00B4E474

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 1bd4b7775636679e301767fb10ab85c9821e562ae79769faf48e1e0fd600c46e
Instruction ID: b8ea0386c3c594f168329ae8a86bab9b31909a2aea10474f63bbe05f4f50b13f
Opcode Fuzzy Hash: 1bd4b7775636679e301767fb10ab85c9821e562ae79769faf48e1e0fd600c46e
Instruction Fuzzy Hash: 67129130600201DFDB21CF14C994BAAB7E5FF09305F1445AAF5AADB262C731EE46EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A3F7 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 00B2A42A
SystemParametersInfoW.USER32 ref: 00B2A4E9
SetRect.USER32 ref: 00B2A527
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B2A539
CreateWindowExW.USER32 ref: 00B2A57F
GetClientRect.USER32(00000000,?), ref: 00B2A58B
CreateWindowExW.USER32 ref: 00B2A5CF
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B2A5DE
GetStockObject.GDI32(00000011), ref: 00B2A5EE
SelectObject.GDI32(00000000,00000000), ref: 00B2A5F2
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B2A602
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B2A60B
DeleteDC.GDI32(00000000), ref: 00B2A614
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 00B2A642
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B2A659
CreateWindowExW.USER32 ref: 00B2A694
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B2A6A8
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B2A6B9
CreateWindowExW.USER32 ref: 00B2A6E9
GetStockObject.GDI32(00000011), ref: 00B2A6F4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B2A6FF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B2A709

Strings

static, xrefs: 00B2A5C9, 00B2A6E3
DISPLAY, xrefs: 00B2A5D4
AutoIt v3, xrefs: 00B2A577
msctls_progress32, xrefs: 00B2A68A

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 169749705e29d82083876b6fbe7a4f0faa3b2f8a77b2343a7e3c74d22b68b3f7
Instruction ID: 3e654ee35ce85e547358d2cd387a29cc61c80f4ca88667492eab0024f8a191c5
Opcode Fuzzy Hash: 169749705e29d82083876b6fbe7a4f0faa3b2f8a77b2343a7e3c74d22b68b3f7
Instruction Fuzzy Hash: C9A19F71A00215BFEB14DBA8DD4AFAE7BB9EB04711F004255F615E72E0DBB0AD40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E44C Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E45E
GetDriveTypeW.KERNEL32(?,00B6DC88,?,\\.\,00B6DBF0), ref: 00B1E54B
SetErrorMode.KERNEL32(00000000,00B6DC88,?,\\.\,00B6DBF0), ref: 00B1E6B1

Strings

SAS, xrefs: 00B1E65A
Removable, xrefs: 00B1E59D
PhysicalDrive, xrefs: 00B1E4EF
FileBackedVirtual, xrefs: 00B1E67D
Virtual, xrefs: 00B1E676
USB, xrefs: 00B1E645
Fixed, xrefs: 00B1E593
RAID, xrefs: 00B1E64C
Network, xrefs: 00B1E589
ATA, xrefs: 00B1E629
SATA, xrefs: 00B1E661
ATAPI, xrefs: 00B1E622
SCSI, xrefs: 00B1E61B
iSCSI, xrefs: 00B1E653
SSD, xrefs: 00B1E5D8
SSA, xrefs: 00B1E637
RAMDisk, xrefs: 00B1E575
\\.\, xrefs: 00B1E4B3
MMC, xrefs: 00B1E66F
Unknown, xrefs: 00B1E56B, 00B1E614
1394, xrefs: 00B1E630
Fibre, xrefs: 00B1E63E
CDROM, xrefs: 00B1E57F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f860a15bdbc24044d2f95d74fb742ca34d43f4a5c2af4ff2d7b156293bae3d3c
Instruction ID: b848c57d9d609282ddfd7ab4e0a1fe17d7b2e509dbe0f25fc60957b661f6b8e8
Opcode Fuzzy Hash: f860a15bdbc24044d2f95d74fb742ca34d43f4a5c2af4ff2d7b156293bae3d3c
Instruction Fuzzy Hash: 0551C830244301EBC210EB14C991DA9B7E1FB64F54BE049DAFC66A72B1DB60DEC5DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00ADC714 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 245COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ADC741
__wcsnicmp.LIBCMT ref: 00ADC759
__wcsnicmp.LIBCMT ref: 00ADC771
__wcsnicmp.LIBCMT ref: 00ADC789
__wcsnicmp.LIBCMT ref: 00ADC7A1
__wcsnicmp.LIBCMT ref: 00ADC7B5
__wcsnicmp.LIBCMT ref: 00ADC7C9
__wcsnicmp.LIBCMT ref: 00ADC7E1
__wcsnicmp.LIBCMT ref: 00ADC8B2
__wcsnicmp.LIBCMT ref: 00ADC8C6
__wcsnicmp.LIBCMT ref: 00ADC8DA
__wcsnicmp.LIBCMT ref: 00ADC8EE

Strings

#notrayicon, xrefs: 00ADC753
#OnAutoItStartRegister, xrefs: 00ADC783
Unterminated group of comments, xrefs: 00B43475
#cs, xrefs: 00ADC7DB, 00ADC8C0
#include, xrefs: 00ADC7AF
Cannot parse #include, xrefs: 00B43482
#comments-end, xrefs: 00ADC8D4
#comments-start, xrefs: 00ADC7C3, 00ADC8AC
#requireadmin, xrefs: 00ADC76B
#include-once, xrefs: 00ADC79B
#ce, xrefs: 00ADC8E8
#pragma compile, xrefs: 00ADC73B
Bad directive syntax error, xrefs: 00B4346D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 25dd7464b78bde321e05def05ec9929c82a5ee89111244b15a5a2bd2b9a5fa29
Instruction ID: 4e485ba991ddb17e5ff0adce4db71540c24c8d9f35be5de1dabd8fc7d1a76622
Opcode Fuzzy Hash: 25dd7464b78bde321e05def05ec9929c82a5ee89111244b15a5a2bd2b9a5fa29
Instruction Fuzzy Hash: 3761473170031777DB21ABA49D92FBA33E8AF15750F540066FD43A6292EBA4CB01D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C4F9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 00B3C598
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B3C64E
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B3C669
SendMessageW.USER32(?,000000F1,?,00000000), ref: 00B3C925

Strings

0, xrefs: 00B3C6AC

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: fdd54503ad2d5e4cb07c1e8e744fb07a0966d0c6412dfe15294be23f94f274eb
Instruction ID: 07de3b83da140106dea15147fab214c2328e21936b0e1fe7bea44630d80afda1
Opcode Fuzzy Hash: fdd54503ad2d5e4cb07c1e8e744fb07a0966d0c6412dfe15294be23f94f274eb
Instruction Fuzzy Hash: E4F1E171204301AFE7218F64CC85BAABFE4FF49354F280AA9F588E72A1C770D945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B36189 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B6DBF0), ref: 00B36245

Strings

ISCHECKED, xrefs: 00B36455
HIDEDROPDOWN, xrefs: 00B3631C
SENDCOMMANDID, xrefs: 00B365C6
ISENABLED, xrefs: 00B36288
FINDSTRING, xrefs: 00B36392
GETLINECOUNT, xrefs: 00B364E0
GETCURRENTSELECTION, xrefs: 00B363FF
ISVISIBLE, xrefs: 00B36251
UNCHECK, xrefs: 00B3649D
TABLEFT, xrefs: 00B362A3
SETCURRENTSELECTION, xrefs: 00B363D2
SELECTSTRING, xrefs: 00B36422
TABRIGHT, xrefs: 00B362B9
GETCURRENTCOL, xrefs: 00B36520
ADDSTRING, xrefs: 00B36332
EDITPASTE, xrefs: 00B36557
SHOWDROPDOWN, xrefs: 00B362FC
DELSTRING, xrefs: 00B36365
GETLINE, xrefs: 00B36587
CURRENTTAB, xrefs: 00B362D9
GETSELECTED, xrefs: 00B364BD
CHECK, xrefs: 00B36487
GETCURRENTLINE, xrefs: 00B36500

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 3964851224-45149045
Opcode ID: 0b50a89822dadf6597d2e5a30227f483cdb1b3a0155dfa0869488e898f25ea38
Instruction ID: 3254a465631b83cdbd576c77deb82404dabc9a7c2c150ef91c583240a586be92
Opcode Fuzzy Hash: 0b50a89822dadf6597d2e5a30227f483cdb1b3a0155dfa0869488e898f25ea38
Instruction Fuzzy Hash: 00C183342042429FCB04EF14C551A6E7BD6EF94354F6588A9F8865B3E6DF30DD4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA756 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00AEA839
GetSystemMetrics.USER32 ref: 00AEA841
SystemParametersInfoW.USER32 ref: 00AEA86C
GetSystemMetrics.USER32 ref: 00AEA874
GetSystemMetrics.USER32 ref: 00AEA899
SetRect.USER32 ref: 00AEA8B6
AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 00AEA8C6
CreateWindowExW.USER32 ref: 00AEA8F9
SetWindowLongW.USER32 ref: 00AEA90D
GetClientRect.USER32(00000000,000000FF), ref: 00AEA92B
GetStockObject.GDI32(00000011), ref: 00AEA947
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEA952

Part of subcall function 00AEB736: GetCursorPos.USER32(000000FF,00000000,00000000,00000000,00B91810,00B91810,?,00AEA965,00000000,000000FF,?,?,?), ref: 00AEB749
Part of subcall function 00AEB736: ScreenToClient.USER32 ref: 00AEB766
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(?), ref: 00AEB78B
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(?), ref: 00AEB799

SetTimer.USER32(00000000,00000000,00000028,00AEACEE), ref: 00AEA979

Strings

AutoIt v3 GUI, xrefs: 00AEA8F1

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e377f90e648ec6ab55003bfb4412b0708de3fa81b8f2cf8810ae5b0514f52ebf
Instruction ID: ccf1888fdca4207f3e52823361250b88aeff19362733d5bcee82ce73c85b0ca3
Opcode Fuzzy Hash: e377f90e648ec6ab55003bfb4412b0708de3fa81b8f2cf8810ae5b0514f52ebf
Instruction Fuzzy Hash: 44B17A31A0020AAFDF14DFA9DD85BAE7BB4FB18315F104269FA15E72A0DB70E841DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B369C5 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B36A52
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B36B12

Strings

DESELECT, xrefs: 00B36BF8
SELECTALL, xrefs: 00B36B71
GETITEMCOUNT, xrefs: 00B36A80
GETSELECTEDCOUNT, xrefs: 00B36AF5
SELECTCLEAR, xrefs: 00B36B89
SELECTINVERT, xrefs: 00B36BDA
GETTEXT, xrefs: 00B36ABB
GETSUBITEMCOUNT, xrefs: 00B36A9D
GETSELECTED, xrefs: 00B36C38
FINDITEM, xrefs: 00B36C7D
ISSELECTED, xrefs: 00B36B1D
SELECT, xrefs: 00B36BA4
VIEWCHANGE, xrefs: 00B36CC9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 828bab45fd6bb0f8d202030392867c40077d3c883fb2c85da928c5fd397c8329
Instruction ID: 30989615ee140809ea6de46146b836ce05dc5fb68dce9a2fede190d6a7483813
Opcode Fuzzy Hash: 828bab45fd6bb0f8d202030392867c40077d3c883fb2c85da928c5fd397c8329
Instruction Fuzzy Hash: B1A15230204341AFCB14EF14CA91A6AB7E6FF44354F6489AAF8969B3D2DB70ED05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E69D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00B0E6E1
_wcscmp.LIBCMT ref: 00B0E6F2
GetWindowTextW.USER32 ref: 00B0E71A
CharUpperBuffW.USER32(?,00000000), ref: 00B0E737
_wcscmp.LIBCMT ref: 00B0E755
_wcsstr.LIBCMT ref: 00B0E766
GetClassNameW.USER32 ref: 00B0E79E
_wcscmp.LIBCMT ref: 00B0E7AE
GetWindowTextW.USER32 ref: 00B0E7D5
GetClassNameW.USER32 ref: 00B0E81E
_wcscmp.LIBCMT ref: 00B0E82E
GetClassNameW.USER32 ref: 00B0E856
GetWindowRect.USER32 ref: 00B0E8BF

Strings

ThumbnailClass, xrefs: 00B0E7A9, 00B0E829
@, xrefs: 00B0E6BC

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: bdc354944aa1bce8326f508e804c445e94ca4344b6eae1de85ddd77b07cd189c
Instruction ID: 9528aeadaa7f8235b69c036f5b74c1539bdc95d16c5ba1f1b2edbfd9b6d23d11
Opcode Fuzzy Hash: bdc354944aa1bce8326f508e804c445e94ca4344b6eae1de85ddd77b07cd189c
Instruction Fuzzy Hash: E481A0310083099BDB15DF10C981FAA7BE8FF44754F0489AAFDA99A0D2DB30DD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E4EA Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B0E549

Strings

[CLASS:, xrefs: 00B0E599
LAST, xrefs: 00B0E50E
HANDLE=, xrefs: 00B0E542
[LAST, xrefs: 00B0E5F6
[ALL, xrefs: 00B0E5EF
[REGEXPTITLE:, xrefs: 00B0E571
CLASSNAME=, xrefs: 00B0E586
REGEXP=, xrefs: 00B0E55E
ACTIVE, xrefs: 00B0E524
[HANDLE:, xrefs: 00B0E555
ALL, xrefs: 00B0E5DD
[ACTIVE, xrefs: 00B0E536

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2adae736e80b5fe61cc4edd31dbab4d519b02e63fd7a68ee46f546c4cf7685a9
Instruction ID: 4ead09253e3cbedfeada0746a86be3e90453ee9aea0580d63fe7ab926922321d
Opcode Fuzzy Hash: 2adae736e80b5fe61cc4edd31dbab4d519b02e63fd7a68ee46f546c4cf7685a9
Instruction Fuzzy Hash: 35317C31944209E6DA18FBA0DE53EBE77E4AF20B54F2008A6F562711F6FF51AF04CA11

Uniqueness

Uniqueness Score: -1.00%

Function 00B201E4 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00B2026A
_wcschr.LIBCMT ref: 00B20278
_wcscpy.LIBCMT ref: 00B2028F
_wcscat.LIBCMT ref: 00B2029E
_wcscat.LIBCMT ref: 00B202BC
_wcscpy.LIBCMT ref: 00B202DD
__wsplitpath.LIBCMT ref: 00B203BA
_wcscpy.LIBCMT ref: 00B203DF
_wcscpy.LIBCMT ref: 00B203F1
_wcscpy.LIBCMT ref: 00B20406
_wcscat.LIBCMT ref: 00B2041B
_wcscat.LIBCMT ref: 00B2042D
_wcscat.LIBCMT ref: 00B20442

Part of subcall function 00B1C890: _wcscmp.LIBCMT ref: 00B1C92A
Part of subcall function 00B1C890: __wsplitpath.LIBCMT ref: 00B1C96F
Part of subcall function 00B1C890: _wcscpy.LIBCMT ref: 00B1C982
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C995
Part of subcall function 00B1C890: __wsplitpath.LIBCMT ref: 00B1C9BA
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C9D0
Part of subcall function 00B1C890: _wcscat.LIBCMT ref: 00B1C9E3

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B20235

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2955681530-2806939583
Opcode ID: 7a7b8aeb7d85de5ea35d96bb81bf63fd74dc5615be1024ebb9ed7a3bb45edc05
Instruction ID: 45c90100494ee0d11de9180c0f47b628dbfe089de20aeb6a74ed012dedba6a6e
Opcode Fuzzy Hash: 7a7b8aeb7d85de5ea35d96bb81bf63fd74dc5615be1024ebb9ed7a3bb45edc05
Instruction Fuzzy Hash: DC91B471504305AFCB20FB50DA95FAEB3E8EF48310F00489EF54997252EB74EA44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B3CC68 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3CD0B
DestroyWindow.USER32(00000000,?), ref: 00B3CD83

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

CreateWindowExW.USER32 ref: 00B3CE04
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B3CE26
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3CE35
DestroyWindow.USER32(?), ref: 00B3CE52
CreateWindowExW.USER32 ref: 00B3CE85
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B3CEA4
GetDesktopWindow.USER32 ref: 00B3CEB9
GetWindowRect.USER32 ref: 00B3CEC0
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B3CED2
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B3CEEA

Part of subcall function 00AEB155: GetWindowLongW.USER32(?,000000EB), ref: 00AEB166

Strings

tooltips_class32, xrefs: 00B3CDFD, 00B3CE7E
0, xrefs: 00B3CD2B

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 5227ee6690e764165a944263261236fa656a1437760ea8cc2bf3c03729e613b6
Instruction ID: 43f231f9c39b981eaf0532812f71d296315cb90f6eea419d0a301892b197bf1f
Opcode Fuzzy Hash: 5227ee6690e764165a944263261236fa656a1437760ea8cc2bf3c03729e613b6
Instruction Fuzzy Hash: 9671DF75140309AFD725CF68CC85FAA3BE5FB88704F54099DF985A72A1DB71E802DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B3F122 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

DragQueryPoint.SHELL32(?,?), ref: 00B3F14B

Part of subcall function 00B3D5EE: ClientToScreen.USER32(?,?), ref: 00B3D617
Part of subcall function 00B3D5EE: GetWindowRect.USER32 ref: 00B3D68D
Part of subcall function 00B3D5EE: PtInRect.USER32(?,?,00B3EB2C), ref: 00B3D69D

SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F1B4
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B3F1BF
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B3F1E2
_wcscat.LIBCMT ref: 00B3F212
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B3F229
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3F242
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F259
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3F27B
DragFinish.SHELL32(?), ref: 00B3F282
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B3F36D

Strings

@GUI_DROPID, xrefs: 00B3F2A2
@GUI_DRAGID, xrefs: 00B3F2E1
@GUI_DRAGFILE, xrefs: 00B3F31C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 07d354b3175bf13e9d21373ecae066f935ccd0400858f0ff4014b8ce9027c879
Instruction ID: dd74ef717aefc9bbfe7b74c7d40a629bb1b9090da407c28ae0f6c96b9aa1714a
Opcode Fuzzy Hash: 07d354b3175bf13e9d21373ecae066f935ccd0400858f0ff4014b8ce9027c879
Instruction Fuzzy Hash: 53615972508301AFC710EF64DD85EABBBE8FF89750F100A5EF595932A1DB709A05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B36F67 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B36FF9
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B37044

Strings

ISCHECKED, xrefs: 00B371AF
EXISTS, xrefs: 00B370AD
COLLAPSE, xrefs: 00B3708A
EXPAND, xrefs: 00B370DE
UNCHECK, xrefs: 00B37208
GETTOTALCOUNT, xrefs: 00B37027
GETITEMCOUNT, xrefs: 00B3710E
GETTEXT, xrefs: 00B3717F
GETSELECTED, xrefs: 00B3713C
CHECK, xrefs: 00B37064
SELECT, xrefs: 00B371DD

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: dde1c5120bdaf58d8fb52de9ec2110a0c164c35d2146a91c83083872822728e3
Instruction ID: ed945935e4d98607755d01d13bbf0835b474f2fd5320e7c9612eb2ac91a4580b
Opcode Fuzzy Hash: dde1c5120bdaf58d8fb52de9ec2110a0c164c35d2146a91c83083872822728e3
Instruction Fuzzy Hash: F79193742447019FCB18EF14C991A6AB7E2EF84354F1448ADF8966B3A2CF35ED4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E305 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00B3E3BB
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B3BCBF), ref: 00B3E417
LoadImageW.USER32 ref: 00B3E457
LoadImageW.USER32 ref: 00B3E49C
LoadImageW.USER32 ref: 00B3E4D3
FreeLibrary.KERNEL32(?,00000004,?,?,?,?,00B3BCBF), ref: 00B3E4DF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B3E4EF
DestroyIcon.USER32(?,?,?,?,?,00B3BCBF), ref: 00B3E4FE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B3E51B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B3E527

Part of subcall function 00AF1BC7: __wcsicmp_l.LIBCMT ref: 00AF1C50

Strings

.exe, xrefs: 00B3E351
.icl, xrefs: 00B3E331
.dll, xrefs: 00B3E374

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2fa1f8ce58d83ad59ef8e6bd517ed02bfd9d6184f2a5038eabfcff01006ca25a
Instruction ID: 612421d38580a232236e7b6537975b27c2d35cdc9ce1b6826c6fab5ea5a4ab9a
Opcode Fuzzy Hash: 2fa1f8ce58d83ad59ef8e6bd517ed02bfd9d6184f2a5038eabfcff01006ca25a
Instruction Fuzzy Hash: 0F61A071500219FAEB24DF64CD86FBE77A8EB08711F204296F925E71D1EBB4D981C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B20E41 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 184timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B20EFF
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B20F0F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B20F1B
__wsplitpath.LIBCMT ref: 00B20F79
_wcscat.LIBCMT ref: 00B20F91
_wcscat.LIBCMT ref: 00B20FA3
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00B20FB8
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20FCC
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20FFE
SetCurrentDirectoryW.KERNEL32(?), ref: 00B2101F
_wcscpy.LIBCMT ref: 00B2102B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B2106A

Strings

*.*, xrefs: 00B21025

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: b22ec4fe076fdf34b3c66ea46ebc40b515eefc52524c38fc491d41f524e14547
Instruction ID: 9d39dd3381b7e7269c550c29d062a86384f2917da2682f0e864cc067ffe91afd
Opcode Fuzzy Hash: b22ec4fe076fdf34b3c66ea46ebc40b515eefc52524c38fc491d41f524e14547
Instruction Fuzzy Hash: B8616E725043459FC710EF64D944A9BB3E9FF88310F00895AF98997251EB35EA85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B13110 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B44085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 00B13145
LoadStringW.USER32(00000000,?,00B44085,00000016), ref: 00B1314E

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00B44085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 00B13170
LoadStringW.USER32(00000000,?,00B44085,00000016), ref: 00B13173
__swprintf.LIBCMT ref: 00B131B3
__swprintf.LIBCMT ref: 00B131C5
_wprintf.LIBCMT ref: 00B1326C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B13283

Strings

^ ERROR, xrefs: 00B13216
Line %d:, xrefs: 00B131AD
Line %d (File "%s"):, xrefs: 00B131BF
%s (%d) : ==> %s: %s %s, xrefs: 00B13267
Error: , xrefs: 00B1323C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: dcf5c306b71cfd3b13f5baddac1083d9ce3a1ddfde42c4c148e106fd067a4440
Instruction ID: fb6ba2ec3ec6dde51fa986c3d4eebaf265ce3d7e105ab212b9d9dae1ee2d7403
Opcode Fuzzy Hash: dcf5c306b71cfd3b13f5baddac1083d9ce3a1ddfde42c4c148e106fd067a4440
Instruction Fuzzy Hash: 6D414572900209BACB14FBE0DE97EEE77B99F14B41F5001A6F602B21A1EE755F44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E541 Relevance: 22.6, APIs: 15, Instructions: 129filememorywindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B3BD04,?,?), ref: 00B3E564
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E57B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E586
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E593
GlobalLock.KERNEL32 ref: 00B3E59C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5AB
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5B4
CloseHandle.KERNEL32(00000000,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5BB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5CC
#418.OLEAUT32(?,00000000,00000000,00B5D9BC,?,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E5E5
GlobalFree.KERNEL32 ref: 00B3E5F5
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,00B3BD04,?,?,00000000,?), ref: 00B3E619
CopyImage.USER32 ref: 00B3E644
DeleteObject.GDI32(00000000), ref: 00B3E66C
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B3E682

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
String ID:
API String ID: 2779716855-0
Opcode ID: 5db081e99bbd5a8266906bc9395f7de31bca6807faa88dd773cc6f5bce366fbb
Instruction ID: 5dba06cc6b27296b7eee55bef726c6937885bcaffca4537d847e907093ddd752
Opcode Fuzzy Hash: 5db081e99bbd5a8266906bc9395f7de31bca6807faa88dd773cc6f5bce366fbb
Instruction Fuzzy Hash: 0C415B75600304BFDB219F65CC88EAABBB9EF89716F108199F915E72A0DB31DD41DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B20B20 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B20C93
_wcscat.LIBCMT ref: 00B20CAB
_wcscat.LIBCMT ref: 00B20CBD
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00B20CD2
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20CE6
GetFileAttributesW.KERNEL32(?), ref: 00B20CFE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B20D18
SetCurrentDirectoryW.KERNEL32(?), ref: 00B20D2A

Strings

*.*, xrefs: 00B20D69

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f63688f3fb902790f2051312fc9f8e71666fd99573340fa9fef21c9a19609021
Instruction ID: 2d440633ed75342c2f41c1c40404908f3f72203b9e7975c4da33ca53c3290c88
Opcode Fuzzy Hash: f63688f3fb902790f2051312fc9f8e71666fd99573340fa9fef21c9a19609021
Instruction Fuzzy Hash: B681B7B15143159FC724EF64D884AAAB7E4EB88310F148D6EF889C7252E734DD84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B3ECBC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B3ED0C
GetFocus.USER32(?,?,?,?), ref: 00B3ED1C
GetDlgCtrlID.USER32 ref: 00B3ED27
_memset.LIBCMT ref: 00B3EE52
GetMenuItemInfoW.USER32 ref: 00B3EE7D
GetMenuItemCount.USER32 ref: 00B3EE9D
GetMenuItemID.USER32(?,00000000), ref: 00B3EEB0
GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 00B3EEE4
GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 00B3EF2C
CheckMenuRadioItem.USER32 ref: 00B3EF64
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B3EF99

Strings

0, xrefs: 00B3EE4A

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: eea87cf171dd344c2f20013305cce4e6edbbe0161847478fedd3883969bf78a7
Instruction ID: 86ffb6dced04989da61d600b6a7c88ba5827ebd0fb67cc98e1326ba2b9b90634
Opcode Fuzzy Hash: eea87cf171dd344c2f20013305cce4e6edbbe0161847478fedd3883969bf78a7
Instruction Fuzzy Hash: 7681A271108311AFEB10DF14D884A6BBBE4FF88354F204AAEF9A5972D1D770D905DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A268 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B2A2DD
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B2A2E9
CreateCompatibleDC.GDI32(?), ref: 00B2A2F5
SelectObject.GDI32(00000000,?), ref: 00B2A302
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B2A356
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00B2A392
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B2A3B6
SelectObject.GDI32(00000006,?), ref: 00B2A3BE
DeleteObject.GDI32(?), ref: 00B2A3C7
DeleteDC.GDI32(00000006), ref: 00B2A3CE
ReleaseDC.USER32 ref: 00B2A3D9

Strings

(, xrefs: 00B2A37E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fa2ae02bb9d067c9a0773095a7f2d7145401972dcd26d085a0324fa0f55c8128
Instruction ID: c83d3438c66edf6848402e6bce6fc93f61a3769def5db6ac4f14b3a1757f076e
Opcode Fuzzy Hash: fa2ae02bb9d067c9a0773095a7f2d7145401972dcd26d085a0324fa0f55c8128
Instruction Fuzzy Hash: 69515871900319EFCB25CFA8DC85EAEBBF9EF48310F14855DF99AA7250C731A8418B54

Uniqueness

Uniqueness Score: -1.00%

Function 00B0AEE5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

_memset.LIBCMT ref: 00B0AF74
WNetAddConnection2W.MPR(?,?,?,00000000,\IPC$,?), ref: 00B0AFA9
RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0AFC5
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B0AFE1
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B0B00B
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B0B033
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B0B03E
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B0B043

Strings

\IPC$, xrefs: 00B0AF8B
SOFTWARE\Classes\, xrefs: 00B0AF15
\CLSID, xrefs: 00B0AF2B

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: f42645568cdf5651b2fce85a3878f18a4164a8418f6303b756ea25f9aedf9092
Instruction ID: 285fcd3cf39810136765b84216476a1f772a72a5fdd6fef9ad0f77978259de5a
Opcode Fuzzy Hash: f42645568cdf5651b2fce85a3878f18a4164a8418f6303b756ea25f9aedf9092
Instruction Fuzzy Hash: 05410E76C10229ABCF15EBA4DC55DEEB7B8FF14750F00456AE912A32A1EB709E04CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B183D6 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000, alias PlayMe,00000022,?,00000022,open ), ref: 00B1843F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000,?,00000022,open ), ref: 00B18455
mciSendStringW.WINMM(?,00000000,00000000,00000000,?,00000022,open ), ref: 00B18466
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000,?,00000022,open ), ref: 00B18478
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000,?,00000022,open ), ref: 00B18489

Strings

play PlayMe wait, xrefs: 00B18473
close PlayMe, xrefs: 00B18450, 00B1847D
status PlayMe mode, xrefs: 00B1843A
play PlayMe, xrefs: 00B18484
alias PlayMe, xrefs: 00B18418
open , xrefs: 00B183EE

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 354c136427b91f3af23b073b7b96cfc25877a22bd16c4c5c73be984cc3e2d323
Instruction ID: 342258c0973706d3b4de712c553190894594fc072d9461453ec44c32d9aa8b2a
Opcode Fuzzy Hash: 354c136427b91f3af23b073b7b96cfc25877a22bd16c4c5c73be984cc3e2d323
Instruction Fuzzy Hash: 7211B665A5015979D720B7A1DC4ADFF7BFCFB91F00F40045A7412A21E1DEA04E44C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00B18097 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B1809C

Part of subcall function 00AEE3A5: timeGetTime.WINMM(?,000B88DA,00B46163), ref: 00AEE3A9

Sleep.KERNEL32(0000000A), ref: 00B180C8
EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 00B180EC
FindWindowExW.USER32 ref: 00B1810E
SetActiveWindow.USER32 ref: 00B1812D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B1813B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B1815A
Sleep.KERNEL32(000000FA), ref: 00B18165
IsWindow.USER32 ref: 00B18171
EndDialog.USER32(00000000), ref: 00B18182

Strings

BUTTON, xrefs: 00B18100

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 50287aed978787794aa1cc505dcd64abaf3d5951e0009e5a1b570682b94206e8
Instruction ID: aadfe8ca1bd2637a5c5cbcdbcf6face1b60094c6205440d3809778e869f87e1e
Opcode Fuzzy Hash: 50287aed978787794aa1cc505dcd64abaf3d5951e0009e5a1b570682b94206e8
Instruction Fuzzy Hash: 3B21BE71200304BFE7325B21BD88B663FEAF719B8AB550296F51193371DF724E968621

Uniqueness

Uniqueness Score: -1.00%

Function 00B132B0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B43C64,00000010,00000000,Bad directive syntax error,00B6DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 00B132D1
LoadStringW.USER32(00000000,?,00B43C64,00000010), ref: 00B132D8

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

_wprintf.LIBCMT ref: 00B13309
__swprintf.LIBCMT ref: 00B1332B
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B13395

Strings

Line %d:, xrefs: 00B13325
Line %d (File "%s"):, xrefs: 00B1333B
Error: , xrefs: 00B13363
., xrefs: 00B1337B
%s (%d) : ==> %s.: %s %s, xrefs: 00B13304

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 901a578e685375ecc7609349c6686209ff3e901f8420cafcae83184d52f92df3
Instruction ID: c8035cfb08384137d7b673124e92d820b83b84ae77224393f0bc26219231b00f
Opcode Fuzzy Hash: 901a578e685375ecc7609349c6686209ff3e901f8420cafcae83184d52f92df3
Instruction Fuzzy Hash: 64217F3294021EFBCF11AFD0CC16EEE77B5BF14B01F004496F516A10B1EA719A54DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2F58 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD2F8B
RegisterClassExW.USER32 ref: 00AD2FB5
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2FC6
InitCommonControlsEx.COMCTL32(?), ref: 00AD2FE3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD2FF3
LoadIconW.USER32(000000A9), ref: 00AD3009
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD3018

Strings

0, xrefs: 00AD2F6D
AutoIt v3 GUI, xrefs: 00AD2FA7
+, xrefs: 00AD2F74
TaskbarCreated, xrefs: 00AD2FBB

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 373ecb87932bd636da2216f1d487d6b5b95d1a7fb7cfa1487e00f19a8fd83c04
Instruction ID: 8d2d58ee3a6431af350c784eb1548fcdf2afb64c242faa9fbd4abfa86166c161
Opcode Fuzzy Hash: 373ecb87932bd636da2216f1d487d6b5b95d1a7fb7cfa1487e00f19a8fd83c04
Instruction Fuzzy Hash: 9021E3B5900309AFDB109FA8E989BCEBBF4FB08701F00465AF611A72A0DBB10544EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C890 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B1C6A0: __time64.LIBCMT ref: 00B1C6AA

Part of subcall function 00AD41A7: _fseek.LIBCMT ref: 00AD41BF

__wsplitpath.LIBCMT ref: 00B1C96F

Part of subcall function 00AF297D: __wsplitpath_helper.LIBCMT ref: 00AF29BD

_wcscpy.LIBCMT ref: 00B1C982
_wcscat.LIBCMT ref: 00B1C995
__wsplitpath.LIBCMT ref: 00B1C9BA
_wcscat.LIBCMT ref: 00B1C9D0
_wcscat.LIBCMT ref: 00B1C9E3

Part of subcall function 00B1C6E4: _memmove.LIBCMT ref: 00B1C71D
Part of subcall function 00B1C6E4: _memmove.LIBCMT ref: 00B1C72C

_wcscmp.LIBCMT ref: 00B1C92A

Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF49
Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF5C

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B1CB8D
DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1CC24
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B1CC3A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1CC4B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B1CC5D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
String ID:
API String ID: 152968663-0
Opcode ID: 24be5df67f6f47a4a24d087b529a83e793817baa5c282d07ac20739bf2336213
Instruction ID: dadd1694cb346d813f963741b83aafdfbdd0e773426bc955e8a27bbc16e3337e
Opcode Fuzzy Hash: 24be5df67f6f47a4a24d087b529a83e793817baa5c282d07ac20739bf2336213
Instruction Fuzzy Hash: A3C12DB190021DAACF11DFA5CC81EEEBBB9EF59310F4041E6F609E6151DB709A84CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B208D9 Relevance: 18.2, APIs: 12, Instructions: 196COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B2090D
_memset.LIBCMT ref: 00B20928
CoInitialize.OLE32(00000000), ref: 00B2093B
SHGetMalloc.SHELL32(?), ref: 00B20945
CoUninitialize.OLE32 ref: 00B2094F
_wcscpy.LIBCMT ref: 00B20993
SHGetDesktopFolder.SHELL32(?), ref: 00B209F5
_wcscpy.LIBCMT ref: 00B20A1B
_wcscpy.LIBCMT ref: 00B20A77
SHBrowseForFolderW.SHELL32 ref: 00B20AA2
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B20AC5
CoUninitialize.OLE32 ref: 00B20B11

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
String ID:
API String ID: 3566271842-0
Opcode ID: 28399a9a9f24d39be30e3c2afaaeb70eeac7cf229f79d4608225b5b9190562ba
Instruction ID: 64300a53c72731c9ae340df3049ada35291f0eddde6a1bbaa38d0b1900b1a6af
Opcode Fuzzy Hash: 28399a9a9f24d39be30e3c2afaaeb70eeac7cf229f79d4608225b5b9190562ba
Instruction Fuzzy Hash: FE710F75A10219AFDB10EFA4D984ADEB7F9EF49314F048496E509A7352DB34AE40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB039 Relevance: 18.1, APIs: 12, Instructions: 131COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB155: GetWindowLongW.USER32(?,000000EB), ref: 00AEB166

GetSysColor.USER32(0000000F), ref: 00AEB067

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b97ed9ab790a9f968e2040936c54e6679321cf9ae305a831010a20334d923396
Instruction ID: 0276c4e1be143ec7e66ae0b26d79c3fb2372a92cc0c4b5bfb8958a13409045ad
Opcode Fuzzy Hash: b97ed9ab790a9f968e2040936c54e6679321cf9ae305a831010a20334d923396
Instruction Fuzzy Hash: 9941AF31110680AFDB215F29D888BBA3BA6EB06731F1843A1FD759B1E6DB309D41DB31

Uniqueness

Uniqueness Score: -1.00%

Function 00AD4257 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 235COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00B9113C,00000104,?,00000000,00000001,00000000), ref: 00AD428C

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00AF1BC7: __wcsicmp_l.LIBCMT ref: 00AF1C50

_wcscpy.LIBCMT ref: 00AD43C0
GetModuleFileNameW.KERNEL32(00000000,00B9113C,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 00B4214E

Strings

/AutoIt3ExecuteScript, xrefs: 00AD438A
/ErrorStdOut, xrefs: 00AD434B
/AutoIt3ExecuteLine, xrefs: 00AD4375
CMDLINE, xrefs: 00AD42DA, 00AD42DF, 00AD430D
CMDLINERAW, xrefs: 00AD42AD
/AutoIt3OutputDebug, xrefs: 00AD4360

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CMDLINE$CMDLINERAW
API String ID: 861526374-1609664196
Opcode ID: 80237586bbc0fbe36ada6ab61b1e201fa6ae0eead6d6bec99c59a15a8587b484
Instruction ID: a79b4f41f4944612b7a008b887699a1658c5d462b595f85e6337be76fef9f678
Opcode Fuzzy Hash: 80237586bbc0fbe36ada6ab61b1e201fa6ae0eead6d6bec99c59a15a8587b484
Instruction Fuzzy Hash: F0816F7690011AABCB05EBE4CE52EEFB7B8AF04350F500017F542B7291EF706A45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE975 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00AEEA39
__wsplitpath.LIBCMT ref: 00AEEA56

Part of subcall function 00AF297D: __wsplitpath_helper.LIBCMT ref: 00AF29BD

_wcsncat.LIBCMT ref: 00AEEA69
__makepath.LIBCMT ref: 00AEEA85

Part of subcall function 00AF2BFF: __wmakepath_s.LIBCMT ref: 00AF2C13

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

_wcscpy.LIBCMT ref: 00AEEABE

Part of subcall function 00AEEB05: RegOpenKeyExW.ADVAPI32(?,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AEEADA,?,?), ref: 00AEEB27

_wcscat.LIBCMT ref: 00B432FC
_wcscat.LIBCMT ref: 00B43334
_wcsncpy.LIBCMT ref: 00B43370

Strings

\, xrefs: 00B43321
Include, xrefs: 00AEEA63

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
String ID: Include$\
API String ID: 1213536620-3429789819
Opcode ID: d32bab69d6abe920cb1e0553df556b16d3fa238f57216557d3d7e5ca7d356134
Instruction ID: 41a3e6a5d8ed0f2239c1caa52432e222f1705c69b5171b7adeee1837d8b12cf8
Opcode Fuzzy Hash: d32bab69d6abe920cb1e0553df556b16d3fa238f57216557d3d7e5ca7d356134
Instruction Fuzzy Hash: AB5171B2809344BFC314EFA5EE85CA6B7E8FB49300B40492FF54583261DF749648CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00AD84A6 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00AD84E5
__itow.LIBCMT ref: 00AD8519

Part of subcall function 00AF2177: _xtow@16.LIBCMT ref: 00AF2198

Strings

0x%p, xrefs: 00B45582
False, xrefs: 00B45568
%.15g, xrefs: 00AD84DF
True, xrefs: 00B45561

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __itow__swprintf_xtow@16
String ID: %.15g$0x%p$False$True
API String ID: 1502193981-2263619337
Opcode ID: 147a45b5ec449baf1bc7dd16113089cf4ba1ab148eed1c3f939a3203ddc2b49a
Instruction ID: 7f9359553b2a309c6e5c5ff9d49d66ca8fb6fe319fa5fbb00f0be31c4c000753
Opcode Fuzzy Hash: 147a45b5ec449baf1bc7dd16113089cf4ba1ab148eed1c3f939a3203ddc2b49a
Instruction Fuzzy Hash: D2410372600A099BDB34DB78D981F7AB7F9FF44310F2044AEF54AC6292EA359A41DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A28D Relevance: 16.6, APIs: 11, Instructions: 109COMMON

Download Yara Rule

APIs

#41.OLEAUT32(0000000C,00000000,?,00000000), ref: 00B0A2AA
#37.OLEAUT32(?), ref: 00B0A2F5
#8.OLEAUT32(?), ref: 00B0A307
#23.WSOCK32(?,?), ref: 00B0A327
#10.WSOCK32(?,?,?,?), ref: 00B0A36A
#24.OLEAUT32(?,?,?), ref: 00B0A37E
#9.WSOCK32(?), ref: 00B0A393
#39.OLEAUT32(?), ref: 00B0A3A0
#38.OLEAUT32(?), ref: 00B0A3A9
#9.WSOCK32(?), ref: 00B0A3BB
#38.OLEAUT32(?), ref: 00B0A3C6

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a845ccd3a904b7b4150dd8154eaf95cb6ae039f4f22043c0f3e9edd1c206cb65
Instruction ID: 158483ab56f2931d39d87d170696159debba3e99751f50188b2a69d1ae0eafe2
Opcode Fuzzy Hash: a845ccd3a904b7b4150dd8154eaf95cb6ae039f4f22043c0f3e9edd1c206cb65
Instruction Fuzzy Hash: E2414F31900319AFCB11DFA4DC84ADEBFB9FF48345F0085A5F512A7251DB70AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B28694 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163fileCOMMON

Download Yara Rule

APIs

#115.WSOCK32(00000101,?), ref: 00B286F5
#10.WSOCK32(?,?,?), ref: 00B2873A
#52.WSOCK32(?), ref: 00B28746
IcmpCreateFile.IPHLPAPI ref: 00B28754
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B287C4
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B287DA
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B2884F
#116.WSOCK32 ref: 00B28855

Strings

Ping, xrefs: 00B28778

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$#115#116CloseCreateFileHandle
String ID: Ping
API String ID: 1853569507-2246546115
Opcode ID: 3da0e7ccf2dad6a4982da59abe804cca3ba0d0ef4f6c242652552675bab2fec4
Instruction ID: cd3f64052f0bee96d30c2462ae6c651fd17ebd3cd325395f45ca6871185b488e
Opcode Fuzzy Hash: 3da0e7ccf2dad6a4982da59abe804cca3ba0d0ef4f6c242652552675bab2fec4
Instruction Fuzzy Hash: 8451A0316053119FD721DF20DD85B6ABBE4EB48720F1489AAF55ADB2A1DF30EC00CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EC11 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1EC1E
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B1EC94
GetLastError.KERNEL32 ref: 00B1EC9E
SetErrorMode.KERNEL32(00000000,READY), ref: 00B1ED0B

Strings

READONLY, xrefs: 00B1ECD6
READY, xrefs: 00B1ECE4
UNKNOWN, xrefs: 00B1ECC3
INVALID, xrefs: 00B1ECDD
NOTREADY, xrefs: 00B1ECCA

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 82811f96e3a1a1f6273ef9046cd7b8eb2aa0b799ad5718806f0d465c0ac0a92a
Instruction ID: 8b73cf093ce438974aed25ca01982b61e1ddf2f4f156d3eeabce11cec63b2d1c
Opcode Fuzzy Hash: 82811f96e3a1a1f6273ef9046cd7b8eb2aa0b799ad5718806f0d465c0ac0a92a
Instruction Fuzzy Hash: 01319235A002099FC710EB64CD85AEEB7F4FF44B10F5440A6E912E72A1DA71DE81CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C6FD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B0C782
GetDlgCtrlID.USER32 ref: 00B0C78D
GetParent.USER32 ref: 00B0C7A9
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0C7AC
GetDlgCtrlID.USER32 ref: 00B0C7B5
GetParent.USER32(?), ref: 00B0C7D1
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0C7D4

Strings

ComboBox, xrefs: 00B0C707
ListBox, xrefs: 00B0C73F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: 6d9426544164f1007b4badbaad7b70e25feef23c4d2a9004d504ec75f5efc443
Instruction ID: bcca98f6c2ccace88dcefbfc63854a08b326b17568c576af68b7f230e2f9d359
Opcode Fuzzy Hash: 6d9426544164f1007b4badbaad7b70e25feef23c4d2a9004d504ec75f5efc443
Instruction Fuzzy Hash: 68219274A00208ABDB05AB64CC95EBE7BB5EF46311F104296F562D72E1DB745816DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C7E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B0C869
GetDlgCtrlID.USER32 ref: 00B0C874
GetParent.USER32 ref: 00B0C890
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B0C893
GetDlgCtrlID.USER32 ref: 00B0C89C
GetParent.USER32(?), ref: 00B0C8B8
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B0C8BB

Strings

ComboBox, xrefs: 00B0C7F0
ListBox, xrefs: 00B0C828

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$_memmove
String ID: ComboBox$ListBox
API String ID: 313823418-1403004172
Opcode ID: cd536adad8491bacb2cf1d912bf45cda718b65ed331ce698f546a7087f7d846f
Instruction ID: 104afcca618cb4cbcc0d5d9456122f627c64989a094efd59e1b0442e947bb9d6
Opcode Fuzzy Hash: cd536adad8491bacb2cf1d912bf45cda718b65ed331ce698f546a7087f7d846f
Instruction Fuzzy Hash: AB21A175A00208ABDF05AB64CC95EFEBFA9EF45301F104296F512E32E1DB749816DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C8CD Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B0C8D9
GetClassNameW.USER32 ref: 00B0C8EE
_wcscmp.LIBCMT ref: 00B0C900
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B0C97B

Strings

smallicons, xrefs: 00B0C943
largeicons, xrefs: 00B0C90F
SHELLDLL_DefView, xrefs: 00B0C8FA
details, xrefs: 00B0C929
list, xrefs: 00B0C95D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 165f7e4a06906f1434e119a458e00d543f4918dfa87d59b7d2b99291ff4f1d2e
Instruction ID: d6ba0f5db6d79eeea73d22be4e42f2aec9fa5eeaa2ed93477870d917c28a43cc
Opcode Fuzzy Hash: 165f7e4a06906f1434e119a458e00d543f4918dfa87d59b7d2b99291ff4f1d2e
Instruction Fuzzy Hash: 27118676648306F9FA163B30DD4ADA67FDCDB07764B200296FA00A60E2FF61A9538654

Uniqueness

Uniqueness Score: -1.00%

Function 00AD30A5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AD30B0
LoadCursorW.USER32(00000000,00007F00), ref: 00AD30BF
LoadIconW.USER32(00000063), ref: 00AD30D5
LoadIconW.USER32(000000A4), ref: 00AD30E7
LoadIconW.USER32(000000A2), ref: 00AD30F9

Part of subcall function 00AD318A: LoadImageW.USER32 ref: 00AD31AE

RegisterClassExW.USER32 ref: 00AD3167

Part of subcall function 00AD2F58: GetSysColorBrush.USER32(0000000F), ref: 00AD2F8B
Part of subcall function 00AD2F58: RegisterClassExW.USER32 ref: 00AD2FB5
Part of subcall function 00AD2F58: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2FC6
Part of subcall function 00AD2F58: InitCommonControlsEx.COMCTL32(?), ref: 00AD2FE3
Part of subcall function 00AD2F58: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AD2FF3
Part of subcall function 00AD2F58: LoadIconW.USER32(000000A9), ref: 00AD3009
Part of subcall function 00AD2F58: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AD3018

Strings

0, xrefs: 00AD3139
#, xrefs: 00AD3140
AutoIt v3, xrefs: 00AD3156

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b5793b630c0da59766e3a39c78d49bd2cab3c4e77c55c6f9a518379ac9246fff
Instruction ID: 8dffd57ad0236edec5604dc148a8623b7a1399961ad800e150c2eb1b8d9ae359
Opcode Fuzzy Hash: b5793b630c0da59766e3a39c78d49bd2cab3c4e77c55c6f9a518379ac9246fff
Instruction Fuzzy Hash: 49215EB0D04315ABCB11DFA9EE4AB99BFF5EB48310F008A2BE214A32A0DB754540DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00B1B05A Relevance: 15.3, APIs: 10, Instructions: 317COMMON

Download Yara Rule

APIs

#77.OLEAUT32(?,00000000,?,?,00000000,?,?,?,?,?,00B1A720,?,?,?,00000016), ref: 00B1B137

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e65bb673a8b69e424db10e1b68428468d00f4b9c190656d43c0f05f7566d1ad
Instruction ID: e13400244fda879c1b47ff34f7d63454cfc9dd9bca30bc08a12968bc5c8ffaed
Opcode Fuzzy Hash: 0e65bb673a8b69e424db10e1b68428468d00f4b9c190656d43c0f05f7566d1ad
Instruction Fuzzy Hash: 11C18C75A0121ADFDB00CF98D485BEEB7F4FF08315F6040AAE615E7291C734AA91CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B14A5B Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B14A7D
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14A91
GetWindowThreadProcessId.USER32(00000000), ref: 00B14A98
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14AA7
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B14AB9
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14AD2
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14AE4
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14B29
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14B3E
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B13AD7,?,00000001), ref: 00B14B49

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b99972423b15146208e7fedf61ca9241fd17fff1d7ee2173f3021efd51b0a84c
Instruction ID: 0cc4d77efa843e91b4fc212ccb0132921a80ee3df581c867692dae70f6076da9
Opcode Fuzzy Hash: b99972423b15146208e7fedf61ca9241fd17fff1d7ee2173f3021efd51b0a84c
Instruction Fuzzy Hash: D931EC75204600AFDB20EF14DD88BAAB7E9EB40712F588496F906D7190DBB0EE80CB30

Uniqueness

Uniqueness Score: -1.00%

Function 00B4EC19 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B4EC32
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B4EC49
GetWindowDC.USER32(?), ref: 00B4EC55
GetPixel.GDI32(00000000,?,?), ref: 00B4EC64
ReleaseDC.USER32 ref: 00B4EC76
GetSysColor.USER32(00000005), ref: 00B4EC94

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 40ce0e558859dbbfeceff0160a33e714ebcffb2b8e025405bf87d6a475b941e2
Instruction ID: 74a1583a4bd1402239c2a9db132346002c334c0301521ee5a6f79a42962ba8b2
Opcode Fuzzy Hash: 40ce0e558859dbbfeceff0160a33e714ebcffb2b8e025405bf87d6a475b941e2
Instruction Fuzzy Hash: D5216331500645EFDB315FB4EC48BAA7BB1FB04322F1042A1F625A60E1DF314A41EF21

Uniqueness

Uniqueness Score: -1.00%

Function 00AD45A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AD45F0
CoUninitialize.OLE32(?,00000000), ref: 00AD4695
UnregisterHotKey.USER32(?), ref: 00AD47BD
DestroyWindow.USER32(?), ref: 00B45936
FreeLibrary.KERNEL32(?), ref: 00B4599D
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B459CA

Strings

close all, xrefs: 00AD45EB

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b9b4325f22fe539ef89afb9249c4a9af41e13cf8e3f85f2f784d5879e59627c4
Instruction ID: 31aba384e5e0a026e8dc6dbb8771c1bd5d6261470aff22e62f5c9b66077e3bdd
Opcode Fuzzy Hash: b9b4325f22fe539ef89afb9249c4a9af41e13cf8e3f85f2f784d5879e59627c4
Instruction Fuzzy Hash: 27910635610602CFC719EF24C995BA8F7B4FF19701F5442AAE44BA7262DB30AE66CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC24A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00AEC2D2

Part of subcall function 00AEC697: GetClientRect.USER32(?,?), ref: 00AEC6C0
Part of subcall function 00AEC697: GetWindowRect.USER32 ref: 00AEC701
Part of subcall function 00AEC697: ScreenToClient.USER32 ref: 00AEC729

GetDC.USER32 ref: 00B4E006
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B4E019
SelectObject.GDI32(00000000,00000000), ref: 00B4E027
SelectObject.GDI32(00000000,00000000), ref: 00B4E03C
ReleaseDC.USER32 ref: 00B4E044
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B4E0CF

Strings

U, xrefs: 00B4DFA4

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ef4e1d2351dba1a133e8698ae4924003293d7d72046bec733f7ae8762622b261
Instruction ID: c0553c082759f28004bde2199fffd2ac6e80245a168d8c3b8c003b8b8ce7d441
Opcode Fuzzy Hash: ef4e1d2351dba1a133e8698ae4924003293d7d72046bec733f7ae8762622b261
Instruction Fuzzy Hash: BE71E231400205DFCF31DF68C881AEA7BF5FF49320F1446A9ED665A2A6C731C946EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EAA6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

Part of subcall function 00AEB736: GetCursorPos.USER32(000000FF,00000000,00000000,00000000,00B91810,00B91810,?,00AEA965,00000000,000000FF,?,?,?), ref: 00AEB749
Part of subcall function 00AEB736: ScreenToClient.USER32 ref: 00AEB766
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(?), ref: 00AEB78B
Part of subcall function 00AEB736: GetAsyncKeyState.USER32(?), ref: 00AEB799

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00B3EB0E
ImageList_EndDrag.COMCTL32 ref: 00B3EB14
ReleaseCapture.USER32 ref: 00B3EB1A
SetWindowTextW.USER32(?,00000000), ref: 00B3EBC2
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B3EBD5
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 00B3ECAE

Strings

@GUI_DROPID, xrefs: 00B3EC05
@GUI_DRAGFILE, xrefs: 00B3EC49

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 8fd02b52a3df897686ae0e8a1167db9604d3d83992b7f7c0eb76d01c307118ea
Instruction ID: 7111dcc81e6857496d9408ac64fdd4e5f7adbc53babad876bb86ceba0acbe70d
Opcode Fuzzy Hash: 8fd02b52a3df897686ae0e8a1167db9604d3d83992b7f7c0eb76d01c307118ea
Instruction Fuzzy Hash: 7751A931214304AFD710EF24CD96FAA7BE5FB88700F504A6EF596972E2DB709904DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B24C23 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B24C5E
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B24C8A
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B24CCC
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B24CE1
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B24CEE
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B24D1E
InternetCloseHandle.WININET(00000000), ref: 00B24D65

Part of subcall function 00B256A9: GetLastError.KERNEL32(?,?,00B24A2B,00000000,00000000,00000001), ref: 00B256BE

Strings

, xrefs: 00B24D17

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
String ID:
API String ID: 1241431887-3916222277
Opcode ID: bcc252154a47186195f4416eb5a896c35f3ba80843168717e3436235cf6cbbd4
Instruction ID: 0526ee5d55b98024c5ee712c0e4542a32ed44a4db7c42f3e041e8d967b81ff0e
Opcode Fuzzy Hash: bcc252154a47186195f4416eb5a896c35f3ba80843168717e3436235cf6cbbd4
Instruction Fuzzy Hash: D14190B1501628BFEB229F64DC85FFA77ECEF08354F1041A6FA099B151DBB09D448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B323C5 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B323E6
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B32579
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B3259D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B325DD
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B325FF
CreateProcessW.KERNEL32 ref: 00B32760
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B32792
CloseHandle.KERNEL32(?), ref: 00B327C1
CloseHandle.KERNEL32(?), ref: 00B32838

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a9ab62afb10d2eaa834e68790f07308c4ff47d2955a832ee3762d81a7a2ea8c4
Instruction ID: 058548eccad08574de24f75dec913c8be287831ae0bc198fcf0320dee46132a1
Opcode Fuzzy Hash: a9ab62afb10d2eaa834e68790f07308c4ff47d2955a832ee3762d81a7a2ea8c4
Instruction Fuzzy Hash: 59D19031604301DFC714EF24C991A6ABBE1EF84354F24859EF9859B3A2DB31ED41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B14A Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B3B204

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b9d741940b221ab1586cb02f7eb148517856e66eab30f00f82061549566486f8
Instruction ID: 480e461fb427e95dbaf5799458af6ece530198303e53f6e657fd2ffd12bb2b7c
Opcode Fuzzy Hash: b9d741940b221ab1586cb02f7eb148517856e66eab30f00f82061549566486f8
Instruction Fuzzy Hash: 3C51BE30510214BEEF30AF288C99F9E3BE4EB06310F304696FB15E71A5CB71E9409B50

Uniqueness

Uniqueness Score: -1.00%

Function 00AEA599 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00B4E9EA
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4EA0B
LoadImageW.USER32 ref: 00B4EA20
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B4EA3D
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B4EA64
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4EA6F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4EA8C
DestroyIcon.USER32(00000000,?,?,?,?,?,?,00AEA57C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 00B4EA97

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ffd4eb456a00be98b4280fa1694fd2879536fde9b0a7dc2b466f7ebc74aed03c
Instruction ID: 75f93841c00b3cd88462f7d921a58c8eb146c69bdde4249dac88a3549e05e72a
Opcode Fuzzy Hash: ffd4eb456a00be98b4280fa1694fd2879536fde9b0a7dc2b466f7ebc74aed03c
Instruction Fuzzy Hash: A4516870600309AFDB20CF69CC81FAA7BF5FB59750F104659F956972A0DBB0ED80AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0CDE6 Relevance: 13.6, APIs: 9, Instructions: 65sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0E138: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B0E158
Part of subcall function 00B0E138: GetCurrentThreadId.KERNEL32 ref: 00B0E15F
Part of subcall function 00B0E138: AttachThreadInput.USER32(00000000,?,00B0CDFB,?,00000001), ref: 00B0E166

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B0CE06
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B0CE23
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B0CE26
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B0CE2F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B0CE4D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B0CE50
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B0CE59
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B0CE70
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B0CE73

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 90bd04e3ea88d296a4a992e9024a05b1fbf3d06a787de5a091b3650d94199a2d
Instruction ID: 73f950ab0c3f647ab39b6af662cc2c349e16bb925a79285400a70f69c9a31e2f
Opcode Fuzzy Hash: 90bd04e3ea88d296a4a992e9024a05b1fbf3d06a787de5a091b3650d94199a2d
Instruction Fuzzy Hash: 9E11A1B1550618BEFB206B74CC8EF6A7E6DEB48795F500655F3407B0E0CEF26C419AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C8B7 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B2CCEE, 00B2CCFF
Not an Object type, xrefs: 00B2C916

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ad101a2c490d10f5ffe08b46f9f42a8678398fb5fae02394d8f17f4594c92900
Instruction ID: 5f466c15ad08a300ca92561c1c9ac0f815804911ea394ed4cc8d48d778013ce9
Opcode Fuzzy Hash: ad101a2c490d10f5ffe08b46f9f42a8678398fb5fae02394d8f17f4594c92900
Instruction Fuzzy Hash: 50E1C271A00229AFCF10DF68E985BAE7BF9EF48354F1440A9E949A7281D7709D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2C604 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Part of subcall function 00B0A857: CLSIDFromProgID.OLE32 ref: 00B0A874
Part of subcall function 00B0A857: ProgIDFromCLSID.OLE32(?,00000000), ref: 00B0A88F
Part of subcall function 00B0A857: lstrcmpiW.KERNEL32(?,00000000), ref: 00B0A89D
Part of subcall function 00B0A857: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00B0A8AD

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B2C6AD
_memset.LIBCMT ref: 00B2C6BA
_memset.LIBCMT ref: 00B2C7D8
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 00B2C804
CoTaskMemFree.OLE32(?), ref: 00B2C80F

Strings

NULL Pointer assignment, xrefs: 00B2C85D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: cb4d9ff15c5280cb26c6d84a8bc8c005f32170e175918c4d282ae0316aa94b7c
Instruction ID: 95bfff358eab1f9b9cec175fe93c89a3f7e2bacbf762ed542c464989c6072d9a
Opcode Fuzzy Hash: cb4d9ff15c5280cb26c6d84a8bc8c005f32170e175918c4d282ae0316aa94b7c
Instruction Fuzzy Hash: 05912E71D00228AFDB10DFA4EC85EEEBBB9EF04750F10815AF519A7291DB705A45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B16237 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B162D6

Strings

info, xrefs: 00B16277
stop, xrefs: 00B162A7
question, xrefs: 00B1628F
warning, xrefs: 00B162BF
blank, xrefs: 00B16258

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 93a1d7a3409778bbc8ab0bef329cd5f81ff38d259b725a86fc0b5552ad22a3a7
Instruction ID: b63393f7431c01affb3c5df9410def423f95e03b15447d51dd30657e48dedb97
Opcode Fuzzy Hash: 93a1d7a3409778bbc8ab0bef329cd5f81ff38d259b725a86fc0b5552ad22a3a7
Instruction Fuzzy Hash: FB11203120C346FAD7055B58DC82DFA73DCDF16B24B6000E9F641A62D2F7B0AE8182E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B32A0A Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00B33AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32AA6,?,?), ref: 00B33B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B32AE7

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 442c1bb8ceacf51ecdb41e46fe3f00f583c373c19c49a87a087aa0a04dc9498f
Instruction ID: e635252df189c08be0e054454e59b2fe1b3bb3da5b63654b555cd7524ca8dc66
Opcode Fuzzy Hash: 442c1bb8ceacf51ecdb41e46fe3f00f583c373c19c49a87a087aa0a04dc9498f
Instruction Fuzzy Hash: D7916771204201AFCB01EF14C991B6EB7E5FF88314F24889EF9969B2A1DB74E945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A1B7 Relevance: 12.1, APIs: 8, Instructions: 100fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B1A1CE

Part of subcall function 00AF010A: std::exception::exception.LIBCMT ref: 00AF013E
Part of subcall function 00AF010A: __CxxThrowException@8.LIBCMT ref: 00AF0153

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B1A205
EnterCriticalSection.KERNEL32(?), ref: 00B1A221
_memmove.LIBCMT ref: 00B1A26F
_memmove.LIBCMT ref: 00B1A28C
LeaveCriticalSection.KERNEL32(?), ref: 00B1A29B
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B1A2B0
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B1A2CF

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 431053ebc1cc2cbff2eccb3a280e2400cbaa120ed18465140c876025a74942b4
Instruction ID: 6b30616d2fd5035df698b81b0ead1629d974858828649471b7ac3d81fc63b0c2
Opcode Fuzzy Hash: 431053ebc1cc2cbff2eccb3a280e2400cbaa120ed18465140c876025a74942b4
Instruction Fuzzy Hash: 6C319031900205EBCB10EFA5DD85EAEBBB8EF44310F5481A5F904EB256DB70DE54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B38CDB Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B38CF3
GetDC.USER32(00000000), ref: 00B38CFB
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B38D06
ReleaseDC.USER32 ref: 00B38D12
CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00B38D4E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B38D5F
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B3BB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00B38D99
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B38DB9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 020e7f2cfd45e6a9b5f85b94719e70fcb18224dbec46e5571f5aa4cf57bb7945
Instruction ID: 799e0612936b3f77b93685d14504ab03df5cf1cd7c06226f04e38f79ea8daa75
Opcode Fuzzy Hash: 020e7f2cfd45e6a9b5f85b94719e70fcb18224dbec46e5571f5aa4cf57bb7945
Instruction Fuzzy Hash: 72317F72100614BFEB218F50CC49FEA3BA9EF49755F0441A5FE08DB191DA759841CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B32121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3214B
_memset.LIBCMT ref: 00B32214
ShellExecuteExW.SHELL32(?), ref: 00B32259

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

Part of subcall function 00AD3BCF: _wcscpy.LIBCMT ref: 00AD3BF2

CloseHandle.KERNEL32(00000000), ref: 00B32320
FreeLibrary.KERNEL32(00000000), ref: 00B3232F

Strings

@, xrefs: 00B32225

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
String ID: @
API String ID: 4082843840-2766056989
Opcode ID: 157012a7b5c66af3f7a3503932b958eae0ea8b85a42164e6daf1c8e26c273c9d
Instruction ID: 9f8c914ed3333e23357659bb9f6abe7a7ae466fa8fb7c5a79783078ffc21192f
Opcode Fuzzy Hash: 157012a7b5c66af3f7a3503932b958eae0ea8b85a42164e6daf1c8e26c273c9d
Instruction Fuzzy Hash: C9717075A00619DFCF15EFA4CA919AEB7F5FF48310F108199E856AB351DB34AE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B147DE Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B1481D
GetKeyboardState.USER32(?), ref: 00B14832
SetKeyboardState.USER32(?), ref: 00B14893
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B148C1
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B148E0
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B14926
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B14949

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 382294498285e727d9194da13e68727d87706620103adb70e0b9b7ab82368e3c
Instruction ID: e2ecdd9721996a016b2c07ad83c67c74974b7a3db66bb40e7602785524fc7f0b
Opcode Fuzzy Hash: 382294498285e727d9194da13e68727d87706620103adb70e0b9b7ab82368e3c
Instruction Fuzzy Hash: C251CEA0A087D53DFB3647248C45BFBBEE9AB06344F4889C9E1D55A8C2C7D8E9C8D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B145F9 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B14638
GetKeyboardState.USER32(?), ref: 00B1464D
SetKeyboardState.USER32(?), ref: 00B146AE
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B146DA
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B146F7
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B1473B
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B1475C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 67a3a568017a9d9a607be22f48d8d3e3cb5877b8ebba7360dbd667d3f08434b9
Instruction ID: aa7c96b99dbb09840496e030768499859065a0d5e0166d30ce68ea4bcda9af5a
Opcode Fuzzy Hash: 67a3a568017a9d9a607be22f48d8d3e3cb5877b8ebba7360dbd667d3f08434b9
Instruction Fuzzy Hash: 7551C1A06087D639FB3687248C45BFABEE9EB07304F4845C9E1D94A8C2D794EDD8E750

Uniqueness

Uniqueness Score: -1.00%

Function 00B186AE Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B186BB
_wcsncpy.LIBCMT ref: 00B186F0
_wcsncpy.LIBCMT ref: 00B18722
_wcsncpy.LIBCMT ref: 00B18755
_wcsncpy.LIBCMT ref: 00B18797
_wcsncpy.LIBCMT ref: 00B187D1
_wcsncpy.LIBCMT ref: 00B18800

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 46f23b8bf12368e84efe22e3740c7f44dbbdbb8a9a0c5feb9a8c1322a5b49962
Instruction ID: b60d62e4726a8c165f65831c9915e7b91d762979b43df770cdd69e10c0fb4865
Opcode Fuzzy Hash: 46f23b8bf12368e84efe22e3740c7f44dbbdbb8a9a0c5feb9a8c1322a5b49962
Instruction Fuzzy Hash: 76413E65C10218B5CB11EBF4C986ADFB7ACEF05350FA08866F618F3162EA30E655C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00B38DD5 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B38DF4
GetWindowLongW.USER32(?,000000F0), ref: 00B38E27
GetWindowLongW.USER32(?,000000F0), ref: 00B38E5C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B38E8E
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B38EB8
GetWindowLongW.USER32(?,000000F0), ref: 00B38EC9
SetWindowLongW.USER32 ref: 00B38EE3

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 789929ff267d83783bad0e08d97e38ed6033bfa691c6b1eb21fca2feff65be65
Instruction ID: d3e66f55158482a7f77ed6943d321f1a5f0265d66893133feb5b44bc326d7db7
Opcode Fuzzy Hash: 789929ff267d83783bad0e08d97e38ed6033bfa691c6b1eb21fca2feff65be65
Instruction Fuzzy Hash: E1311F31200221AFDB21DF58DC84FA537E5FB4A715F2942E9F5158B2B2CFB1A841EB42

Uniqueness

Uniqueness Score: -1.00%

Function 00B169F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 00AD31DA

lstrcmpiW.KERNEL32(?,?), ref: 00B16A2B
_wcscmp.LIBCMT ref: 00B16A49
MoveFileW.KERNEL32(?,?), ref: 00B16A62

Part of subcall function 00B16D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00B16DBA
Part of subcall function 00B16D6D: GetLastError.KERNEL32 ref: 00B16DC5
Part of subcall function 00B16D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B16DD9

_wcscat.LIBCMT ref: 00B16AA4
SHFileOperationW.SHELL32(?), ref: 00B16B0C

Strings

\*.*, xrefs: 00B16A9E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 2323102230-1173974218
Opcode ID: 3e4d145fe918ffca4a5aec8a1a250c84b50479c2890d770f72e8f3676715ee61
Instruction ID: ebb3287bb6ff6d51649803a7e4295975c46453074ba2ae6dfeca04991a251039
Opcode Fuzzy Hash: 3e4d145fe918ffca4a5aec8a1a250c84b50479c2890d770f72e8f3676715ee61
Instruction Fuzzy Hash: 083112B1900218AACF61EFA4D945BDDB7F8AF08300F5055EAF509E3151EB309B89CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B12FCD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B12FE0
__wcsnicmp.LIBCMT ref: 00B13001
__wcsnicmp.LIBCMT ref: 00B1301B

Strings

#notrayicon, xrefs: 00B12FD8
#OnAutoItStartRegister, xrefs: 00B13015
#requireadmin, xrefs: 00B12FFB

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a82a8da681d0cb8ffe4cb8a3a3e107a7dcc233032c0fdbf98009039d332f1c4f
Instruction ID: 2aa45f273ef7958e132405598e988ae45c8e9179b849475b8c2cb5d467df79c3
Opcode Fuzzy Hash: a82a8da681d0cb8ffe4cb8a3a3e107a7dcc233032c0fdbf98009039d332f1c4f
Instruction Fuzzy Hash: 05214632204215B7C330A7749E0AFFB73E8DF59740F9040A6F98687181FB959AC2C391

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A0D6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEC619: CreateWindowExW.USER32 ref: 00AEC657
Part of subcall function 00AEC619: GetStockObject.GDI32(00000011), ref: 00AEC66B
Part of subcall function 00AEC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEC675

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B3A13B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B3A148
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B3A153
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B3A162
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B3A16E

Strings

Msctls_Progress32, xrefs: 00B3A10C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 054ad82206900b5521ec224b9beb0df9e1d984519ddf47cb1dd703da9e046791
Instruction ID: f5171c4b5fd62012b0f4e6faf1a0b1ea1193942485a90f55bb67386eb7fa01b0
Opcode Fuzzy Hash: 054ad82206900b5521ec224b9beb0df9e1d984519ddf47cb1dd703da9e046791
Instruction Fuzzy Hash: 8F11B6B1140219BEEF115F65CC86EE77F5DEF09798F114215F608A7090C6729C22DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AEEB05 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,00AEEADA,?,?), ref: 00AEEB27
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,00AEEADA,?,?), ref: 00B44B26
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,00AEEADA,?,?), ref: 00B44B65
RegCloseKey.ADVAPI32(?,?,00AEEADA,?,?), ref: 00B44B94

Strings

Software\AutoIt v3\AutoIt, xrefs: 00AEEB1D
Include, xrefs: 00B44B1E, 00B44B5D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 7962269e145d59f788c8d10e47b0de5cd93f5b659a72cb5bf8d9d1dde5e12bea
Instruction ID: f005c151e07c5d20479e149d15dbbfd3bbe8aa046a442d05496a85ced49ac575
Opcode Fuzzy Hash: 7962269e145d59f788c8d10e47b0de5cd93f5b659a72cb5bf8d9d1dde5e12bea
Instruction Fuzzy Hash: 91113A71A00208BEEB149BA4CD96EBE77BCEB08754F100499F506E71A1EAB09E51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AD31F2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00AD3202
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 00AD3219
LoadResource.KERNEL32(?,00000000), ref: 00B457D7
SizeofResource.KERNEL32(?,00000000), ref: 00B457EC
LockResource.KERNEL32(?), ref: 00B457FF

Strings

SCRIPT, xrefs: 00AD320F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bd06c6284fa1f0ea2982cd46eb510546e546468ea12570f3ccae72c1bf5e1a5c
Instruction ID: a3205e382e4190cb862e52833307396c8ba0e95916d112a1d546a1081c76b0fd
Opcode Fuzzy Hash: bd06c6284fa1f0ea2982cd46eb510546e546468ea12570f3ccae72c1bf5e1a5c
Instruction Fuzzy Hash: D4117C75600701BFEB218B65EC48F677BB9FBC9B42F1081A9B412872A0DB71DD00CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2E9D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AD2ECB
CreateWindowExW.USER32 ref: 00AD2EEC
ShowWindow.USER32(00000000), ref: 00AD2F00
ShowWindow.USER32(00000000), ref: 00AD2F09

Strings

edit, xrefs: 00AD2EE6
AutoIt v3, xrefs: 00AD2EC3, 00AD2EC8, 00AD2EC9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b8b133ecdac9494ac707c3af5700271d3134a07596c8d0fae7056d396a7b6ff0
Instruction ID: 6a4a2034902cda3b93d34b231da7c9da8c3e7637581f2aded4c4374e7e5986bc
Opcode Fuzzy Hash: b8b133ecdac9494ac707c3af5700271d3134a07596c8d0fae7056d396a7b6ff0
Instruction Fuzzy Hash: 3BF05471A402D17AD731976B6D0DE773E7ED7C6F10F01455FBA0893170C9660881EA70

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC697 Relevance: 9.3, APIs: 6, Instructions: 253COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00AEC6C0
GetWindowRect.USER32 ref: 00AEC701
ScreenToClient.USER32 ref: 00AEC729
GetClientRect.USER32(?,?), ref: 00AEC856
GetWindowRect.USER32 ref: 00AEC86F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 82ce6b2e5410402e88a51ec4655a6eac3a501b29f223085cdb1453cdaa38feaf
Instruction ID: 57dec8343b2b026814fa3350ce422c11a5ce6a2a977e45515f87098578e096b0
Opcode Fuzzy Hash: 82ce6b2e5410402e88a51ec4655a6eac3a501b29f223085cdb1453cdaa38feaf
Instruction Fuzzy Hash: 93B14A79900289DBDF10CFA9C5807EEB7B1FF08310F14916AEC69EB255DB30AA41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE47B Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00AEE4A7

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

GetCurrentProcess.KERNEL32(00000000,00B6DC28,?,?), ref: 00AEE567
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEE5C7
FreeLibrary.KERNEL32(00000000,?,?), ref: 00AEE5DA
GetSystemInfo.KERNEL32(?,00B6DC28,?,?), ref: 00AEE5E4
GetSystemInfo.KERNEL32(?,00B6DC28,?,?), ref: 00AEE5F0

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FreeInfoLibrarySystem$CurrentProcessVersion_memmove
String ID:
API String ID: 2884914705-0
Opcode ID: c1feb45b2ca9b5f2c3ef9076ebbff08b53156405601d44205c2357c43172662e
Instruction ID: ed26da4c0d7857fe44f88848090806614ca631c061776cb80b7a354ce7fa1cf6
Opcode Fuzzy Hash: c1feb45b2ca9b5f2c3ef9076ebbff08b53156405601d44205c2357c43172662e
Instruction Fuzzy Hash: 0261B0B180A3C4CFCF15CF6998C15E97FB4AF2A304F1949E9D8459B24BD634CA08DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B32EC7 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00B33AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32AA6,?,?), ref: 00B33B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B32FA0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B32FE0
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B33003
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B3302C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3306F
RegCloseKey.ADVAPI32(00000000), ref: 00B3307C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a83475b9f28476dca8b32e564482c9f5ada1b6f8cea3bf11e726f9b0d9556267
Instruction ID: 0e98b399f0a19d9ad60ffaf7169bdac8a45889de1a56c1a2f5357c9099f3543f
Opcode Fuzzy Hash: a83475b9f28476dca8b32e564482c9f5ada1b6f8cea3bf11e726f9b0d9556267
Instruction Fuzzy Hash: B3516731208200AFC714EF64C995E6FBBE9FF88714F14495EF586872A1DB71EA05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B12ADC Relevance: 9.2, APIs: 6, Instructions: 158COMMON

Download Yara Rule

APIs

#8.OLEAUT32(?,00000000,?,?,?,?,?,?,?), ref: 00B12AF6
#9.WSOCK32(00000013), ref: 00B12B68
#9.WSOCK32(00000000), ref: 00B12BC3
_memmove.LIBCMT ref: 00B12BED
#9.WSOCK32(?), ref: 00B12C3A
#12.OLEAUT32(?,?,00000000,00000013,00000000,?,?,?,?,?,?,?), ref: 00B12C68

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8e908e037e18381d82efdb61bf75e24c12155100685469aab66838c5cef8a6f0
Instruction ID: 8d31898586c1871e58cf19c4b3988c8ca23c5d128b1a86ffe3fc4eba1eb296f3
Opcode Fuzzy Hash: 8e908e037e18381d82efdb61bf75e24c12155100685469aab66838c5cef8a6f0
Instruction Fuzzy Hash: 15515CB5A00209EFDB24CF58D880AAAB7F8FF4C314B158599E959DB314D730E951CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B382DB Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B3833D
GetMenuItemCount.USER32 ref: 00B38374
GetMenuStringW.USER32 ref: 00B3839C
GetMenuItemID.USER32(?,?), ref: 00B3840B
GetSubMenu.USER32 ref: 00B38419
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B3846A

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 641b328f3b265cc61b6086e4d6e523295942c5924363ac5dfd1163d69407db3a
Instruction ID: da19d7ba391b83d1d6c4600b125179ec3d462ec0ad16a5417e923bdec13d34cb
Opcode Fuzzy Hash: 641b328f3b265cc61b6086e4d6e523295942c5924363ac5dfd1163d69407db3a
Instruction Fuzzy Hash: 87519C71A00219EFCF11EFA4C981AAEB7F4EF48710F244499F916BB351DB70AE418B95

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB18C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AEB1C1
GetWindowRect.USER32 ref: 00AEB225
ScreenToClient.USER32 ref: 00AEB242
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AEB253
EndPaint.USER32(?,?), ref: 00AEB29D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 78b6d36886a44df578a2e600e569d1d7605a8b39397422e081e658758234d9f0
Instruction ID: e4b72fe1a8052e1c33485919195142b6394290c6b69ed56b7658145c93bf92b7
Opcode Fuzzy Hash: 78b6d36886a44df578a2e600e569d1d7605a8b39397422e081e658758234d9f0
Instruction Fuzzy Hash: FB418D711043419FC721DF29D8C8BBB7BE8EF55320F1406A9FAA5872A1CB319945AB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E1A7 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B91810,00000000,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E21B
EnableWindow.USER32(?,00000000), ref: 00B3E23F
ShowWindow.USER32(00B91810,00000000,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E29F
ShowWindow.USER32(?,00000004,?,?,00B91810,00B91810,?,00B4E2D6), ref: 00B3E2B1
EnableWindow.USER32(?,00000001), ref: 00B3E2D5
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B3E2F8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d19044ed2171853367aebb9b9206efd9ce41c00b711ae03dddd8aae544662173
Instruction ID: c33a74dad3e15c2f978b4275983c9644991c537c7611a385643fb34ea80e8714
Opcode Fuzzy Hash: d19044ed2171853367aebb9b9206efd9ce41c00b711ae03dddd8aae544662173
Instruction Fuzzy Hash: 56413F34640541EFDB25CF14C899B967BE5FB06314F2841E6FA688F1A2C731E845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B291DC Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

#23.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B29235
#111.WSOCK32(00000000), ref: 00B29244
#2.WSOCK32(00000000,?,00000010), ref: 00B29260
#13.WSOCK32(00000000,00000005), ref: 00B2926F
#111.WSOCK32(00000000), ref: 00B29289
#3.WSOCK32(00000000,00000000), ref: 00B2929D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 74d47a3b675b33cdf40ae24249dfc2176d08449eddcc187071f039a15938025b
Instruction ID: 189dadcc49e0a888ebc103460604431f40d581c341a89bf33873972e3c7bb410
Opcode Fuzzy Hash: 74d47a3b675b33cdf40ae24249dfc2176d08449eddcc187071f039a15938025b
Instruction Fuzzy Hash: FB219C31600210AFDB10EF64DE85B6EB7E9EF48324F108299E95AAB391CB70AD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E9C8 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEB5EB
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB5FA
Part of subcall function 00AEB58B: BeginPath.GDI32(?), ref: 00AEB611
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB63B

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B3E9F2
LineTo.GDI32(00000000,00000003,?), ref: 00B3EA06
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3EA14
LineTo.GDI32(00000000,00000000,?), ref: 00B3EA24
EndPath.GDI32(00000000), ref: 00B3EA34
StrokePath.GDI32(00000000), ref: 00B3EA44

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5c4469c9cc5982284f6274824d1225f365001e188382d0921b77035559d79cac
Instruction ID: b8c9089360b7178f824dc5cafa6c7ef787da7ebbb196a4139c23b0538f00d03f
Opcode Fuzzy Hash: 5c4469c9cc5982284f6274824d1225f365001e188382d0921b77035559d79cac
Instruction Fuzzy Hash: C3110976000249BFEF129F94DC88F9A7FADEB08351F048162FA199A1A0DB719D55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0EF91 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B0EFB6
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B0EFC7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B0EFCE
ReleaseDC.USER32 ref: 00B0EFD6
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B0EFED
MulDiv.KERNEL32(000009EC,?,?), ref: 00B0EFFF

Part of subcall function 00B0A83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00B0A79D,00000000,00000000,?,00B0AB73), ref: 00B0B2CA

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CapsDevice$ExceptionRaiseRelease
String ID:
API String ID: 603618608-0
Opcode ID: c2124ad05af0f5b27b95cc37d4f404dbde2d33dc18ae73692d70d887212dc8c6
Instruction ID: 76e1fac6fc8b9a44bc049fdb05ab2c3fea904a2dddcaa8cc64606631a4c85ed0
Opcode Fuzzy Hash: c2124ad05af0f5b27b95cc37d4f404dbde2d33dc18ae73692d70d887212dc8c6
Instruction Fuzzy Hash: 810167B5A00315BFEB109BA59C45B5EBFB8EB48751F0445A6FE04EB2D0DA709D01CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00AF87D7 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00AF87D7

Part of subcall function 00AF1E5A: __initp_misc_winsig.LIBCMT ref: 00AF1E7E
Part of subcall function 00AF1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AF8BE1
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AF8BF5
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AF8C08
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AF8C1B
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AF8C2E
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AF8C41
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AF8C54
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AF8C67
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AF8C7A
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AF8C8D
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AF8CA0
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AF8CB3
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AF8CC6
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AF8CD9
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AF8CEC
Part of subcall function 00AF1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00AF8CFF

__mtinitlocks.LIBCMT ref: 00AF87DC

Part of subcall function 00AF8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(00B8AC68,00000FA0,?,?,00AF87E1,00AF6AFA,00B867D8,00000014), ref: 00AF8AD1

__mtterm.LIBCMT ref: 00AF87E5

Part of subcall function 00AF884D: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AF87EA,00AF6AFA,00B867D8,00000014), ref: 00AF89CF
Part of subcall function 00AF884D: _free.LIBCMT ref: 00AF89D6
Part of subcall function 00AF884D: DeleteCriticalSection.KERNEL32(00B8AC68,?,?,00AF87EA,00AF6AFA,00B867D8,00000014), ref: 00AF89F8

__calloc_crt.LIBCMT ref: 00AF880A
GetCurrentThreadId.KERNEL32 ref: 00AF8833

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
String ID:
API String ID: 2942034483-0
Opcode ID: 601d681e9b99c1f5979a47cdf50a7c29d326e9b5ab208906d28e51a3d1f73be0
Instruction ID: 81d2a084972453e4263cf98a52538f5ffa8749cc67db557f2acda8cb4f38511c
Opcode Fuzzy Hash: 601d681e9b99c1f5979a47cdf50a7c29d326e9b5ab208906d28e51a3d1f73be0
Instruction Fuzzy Hash: BEF0903211A7195AE67477F8BE0777A26C09F01BB0B610A2AF760D70E2FF58884141A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A3D2 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 1423608774-0
Opcode ID: 5a56b016e5457e585662fd77051147f3b31dd17fd6d1c6f14be3896c655783be
Instruction ID: 049f98e974979643cdc39a3dcf2b253ead8dc07fab688ae48d7715b9301160e6
Opcode Fuzzy Hash: 5a56b016e5457e585662fd77051147f3b31dd17fd6d1c6f14be3896c655783be
Instruction Fuzzy Hash: FD016D32102711ABD7252B54ED48FEB7BA9EF89702B8006A9F503974A1CF61B841CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00B184F4 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B18504
SendMessageTimeoutW.USER32 ref: 00B1851A
GetWindowThreadProcessId.USER32(?,?), ref: 00B18529
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18538
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18542
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B18549

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 05579cbb520211366aea7a276a1f66fef2391a718535c7b8a4d8ffec3a0e8fcf
Instruction ID: 607e13af139952c1a52542ad8edba7b606d6eebe1048b82459a77d0e6fb38289
Opcode Fuzzy Hash: 05579cbb520211366aea7a276a1f66fef2391a718535c7b8a4d8ffec3a0e8fcf
Instruction Fuzzy Hash: C7F03072240659BBE7315B529D0EFEF7A7CDFC6B16F000298F605E2050EFA06A42C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A31D Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B1A330
EnterCriticalSection.KERNEL32(?,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A341
TerminateThread.KERNEL32(?,000001F6,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A34E
WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A35B

Part of subcall function 00B19CCE: CloseHandle.KERNEL32(?,?,00B1A368,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B19CD8

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B1A36E
LeaveCriticalSection.KERNEL32(?,?,?,?,00B466D3,?,?,?,?,?,00ADE681), ref: 00B1A375

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 65073635c4518c6a3bcd36753c4de77a6168a6b338505c7747385af512991f12
Instruction ID: 024ac730e6a65ce312d4b1119be467a5b6c2abc8df872e020f9f3d98ee6b66b1
Opcode Fuzzy Hash: 65073635c4518c6a3bcd36753c4de77a6168a6b338505c7747385af512991f12
Instruction Fuzzy Hash: 5AF05E32141311ABD3212BA4ED48FDB7BB9EF89303F4006A1F203A64A1CFB6A841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B11050 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B110B8
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B110EE
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B110FF
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B11181

Strings

DllGetClassObject, xrefs: 00B110F4

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b80edbcd81b69634adbe3626e104ab7396bfbe5a92c4985d8550fa3c097a9711
Instruction ID: 816c08f1aa3faa3c941bad5c154866554d561c2b3f3c56a015f0affae010b616
Opcode Fuzzy Hash: b80edbcd81b69634adbe3626e104ab7396bfbe5a92c4985d8550fa3c097a9711
Instruction Fuzzy Hash: C6415BB1600204AFDB15CF58C884BDABBE9EF45350B5485E9EB09EF205D7B1D994CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B30458 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?), ref: 00B30478

Part of subcall function 00AD7F40: _memmove.LIBCMT ref: 00AD7F8F

Part of subcall function 00ADA2FB: _memmove.LIBCMT ref: 00ADA33D

Strings

stdcall, xrefs: 00B304FA
cdecl, xrefs: 00B304CF
winapi, xrefs: 00B304E9
none, xrefs: 00B30553

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memmove$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 2411302734-567219261
Opcode ID: a475ac73ccaeeff00e022e0d01c9cfa8dbcf5d486e6e3ca584e47092bb12477f
Instruction ID: 79f73d1a1edc220de501cdcc4c54f11982aa739eafe0372895f4b6b8715726a2
Opcode Fuzzy Hash: a475ac73ccaeeff00e022e0d01c9cfa8dbcf5d486e6e3ca584e47092bb12477f
Instruction Fuzzy Hash: 2931AE3191061AAFCF04EF58C990AEEB3F4FF25710F208A6AA466972D1DB31E905CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B0C684
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B0C697
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B0C6C7

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

Strings

ComboBox, xrefs: 00B0C60B
ListBox, xrefs: 00B0C643

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$_memmove
String ID: ComboBox$ListBox
API String ID: 458670788-1403004172
Opcode ID: 1f519271ff9702aa1b8c65022930a3a93d96a3f4048984f2080a5e499c45c2b4
Instruction ID: be9acb4cc93ded2a714e2f0909800d8e93e49626f7985a9c78ea8d54d381e2fb
Opcode Fuzzy Hash: 1f519271ff9702aa1b8c65022930a3a93d96a3f4048984f2080a5e499c45c2b4
Instruction Fuzzy Hash: E621E171A00108AEDB28ABA4C886DFFBFE9DF06350B14465AF422E32E1DB754D0AD710

Uniqueness

Uniqueness Score: -1.00%

Function 00B24A41 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B24A60
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B24A86
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B24AB6
InternetCloseHandle.WININET(00000000), ref: 00B24AFD

Part of subcall function 00B256A9: GetLastError.KERNEL32(?,?,00B24A2B,00000000,00000000,00000001), ref: 00B256BE

Strings

, xrefs: 00B24AAF

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 1951874230-3916222277
Opcode ID: 2d58cbd94d82daa141f5918fde8363cd0da7460fba696bd7ed5a82567e79c6be
Instruction ID: f225950b935fdf0c01280a48b932d6943bb7c5657cae332da1225949bf6f19af
Opcode Fuzzy Hash: 2d58cbd94d82daa141f5918fde8363cd0da7460fba696bd7ed5a82567e79c6be
Instruction Fuzzy Hash: 6521ACB5640618BEEB22DB64ACC4FBBB6ECEB49744F10415AF10996540EB748D058771

Uniqueness

Uniqueness Score: -1.00%

Function 00B38EEF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEC619: CreateWindowExW.USER32 ref: 00AEC657
Part of subcall function 00AEC619: GetStockObject.GDI32(00000011), ref: 00AEC66B
Part of subcall function 00AEC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEC675

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B38F69
LoadLibraryW.KERNEL32(?), ref: 00B38F70
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B38F85
DestroyWindow.USER32(?), ref: 00B38F8D

Strings

SysAnimate32, xrefs: 00B38F44

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2a676aabdb4c76c7d19ec7b1f3b6030ebcfc6d044b9d4caf37e2a7e850ceaca6
Instruction ID: 7174a72b3c65973e2bc5cacde520fbdbc5bf555b988644f3ebbaa29c122eee50
Opcode Fuzzy Hash: 2a676aabdb4c76c7d19ec7b1f3b6030ebcfc6d044b9d4caf37e2a7e850ceaca6
Instruction Fuzzy Hash: 66219A71200305AFEF105E64DC90EBB37EEEB59324F204AA9FA14971A1DB71DC9197A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E382 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B1E392
GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 00B1E3E6
__swprintf.LIBCMT ref: 00B1E3FF
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B6DBF0), ref: 00B1E43D

Strings

%lu, xrefs: 00B1E3F9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e28718d04311343c7218bed53e94e1c4482489de08c4288452d96b3e2f055cea
Instruction ID: b89819ca06f3f43de1da7117e2f94e24209d8c36d56ab1d00fff548724db1162
Opcode Fuzzy Hash: e28718d04311343c7218bed53e94e1c4482489de08c4288452d96b3e2f055cea
Instruction Fuzzy Hash: 0B21AF35A40208AFCB10EBA4C985EEEB7B8EF49710F1040A9F509E7361DA31EE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B30579 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 00B305DF
GetProcAddress.KERNEL32(00000000,?), ref: 00B3066E
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B3068C
GetProcAddress.KERNEL32(00000000,?), ref: 00B306D2
FreeLibrary.KERNEL32(00000000,00000004), ref: 00B306EC

Part of subcall function 00AEF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B1AEA5,?,?,00000000,00000008), ref: 00AEF282
Part of subcall function 00AEF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B1AEA5,?,?,00000000,00000008), ref: 00AEF2A6

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 04da3ee43939aa793fba5da6082c5a20093742e7e47e6c4af2b36ed8ca22de9e
Instruction ID: 2d21820d50280e0874be01c3da1c9dd51ea0ab4838796d35da20a6daff3a6ad6
Opcode Fuzzy Hash: 04da3ee43939aa793fba5da6082c5a20093742e7e47e6c4af2b36ed8ca22de9e
Instruction Fuzzy Hash: CB512675A00205DFCB00EFA8C9A5AEDB7F5EF58310F1580A6E956AB352DB30ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B32D1A Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Part of subcall function 00B33AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B32AA6,?,?), ref: 00B33B0E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B32DE0
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B32E1F
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B32E66
RegCloseKey.ADVAPI32(?,?), ref: 00B32E92
RegCloseKey.ADVAPI32(00000000), ref: 00B32E9F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 2ebf7e649c8d72790ecdcfebb854868454310257e578891a57c61b8e419a9bea
Instruction ID: 7d2c0c592a3f069701202d8a2fa3b05af4fd590002b6a7b2e22fec9fdc1b5456
Opcode Fuzzy Hash: 2ebf7e649c8d72790ecdcfebb854868454310257e578891a57c61b8e419a9bea
Instruction Fuzzy Hash: C7518B71204304AFC704EF64C981E6BB7E9FF88714F14496EF5968B2A1DB31E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B3CB07 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c88958a54e17d0a9ce20df2ddfa92c64c0c540c0aef05895d7d061be3ae2d6
Instruction ID: fad677d045a4a3e680c09d37cb3d736c16e32e378b293da0a8e33a6dd93a91c2
Opcode Fuzzy Hash: 86c88958a54e17d0a9ce20df2ddfa92c64c0c540c0aef05895d7d061be3ae2d6
Instruction Fuzzy Hash: CD41D636900209ABDB20DBA8CD85FA9FFE5EB09320F6542D5E919F72D1DB309D01D790

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C145 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00B0C156
PostMessageW.USER32(?,00000201,00000001), ref: 00B0C200
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B0C208
PostMessageW.USER32(?,00000202,00000000), ref: 00B0C216
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B0C21E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a1b8cc966a91bd5e02f2ca1dd5dc442eef01e2aabe33feaf33efd1679a6516d8
Instruction ID: b7684aaeca762849fcb8e213b899e0e6224343e57dfcc72c974980588c6d498f
Opcode Fuzzy Hash: a1b8cc966a91bd5e02f2ca1dd5dc442eef01e2aabe33feaf33efd1679a6516d8
Instruction Fuzzy Hash: 5631AC71900219EBDF14CFA8DE4DA9E3FB5EB04326F1043A9F925AB2D1C7B09915DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0E9B5 Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B0E9CD
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B0E9EA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B0EA22
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B0EA48
_wcsstr.LIBCMT ref: 00B0EA52

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: dfa4c7561b1e66a45f28abef867560258a365f3be41c08993c4c540d74500356
Instruction ID: 2e5cd143c9d02036f6ac9efb8a3b3364e8d8b2eac76ad33890f38469ce94d109
Opcode Fuzzy Hash: dfa4c7561b1e66a45f28abef867560258a365f3be41c08993c4c540d74500356
Instruction Fuzzy Hash: 22214672304204BAEB259B79DD49E3B7FE8EF49750F0081A9F909DA0D1DE70DC4182A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B0CA6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B0CA86

Part of subcall function 00AD7E53: _memmove.LIBCMT ref: 00AD7EB9

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B0CAB8
__itow.LIBCMT ref: 00B0CAD0
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B0CAF6
__itow.LIBCMT ref: 00B0CB07

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: fd7317abbc06b42d0387054467229d4f1ae056d90223359440ce10ca09649a58
Instruction ID: b11562d04b7f9e74f252f4dfb5b821f0668fd1e8bb0d7e77cdec4bbcc203ad6f
Opcode Fuzzy Hash: fd7317abbc06b42d0387054467229d4f1ae056d90223359440ce10ca09649a58
Instruction Fuzzy Hash: 0821A7767006087BDB21AB648D56FDE7FE9EF49750F0041A5F906E72D1DB608D0583A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B16D6D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00AD3B1E: _wcsncpy.LIBCMT ref: 00AD3B32

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 00B16DBA
GetLastError.KERNEL32 ref: 00B16DC5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B16DD9
_wcsrchr.LIBCMT ref: 00B16DFB

Part of subcall function 00B16D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 00B16E31

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
String ID:
API String ID: 3633006590-0
Opcode ID: 98af6b585a7bfe9e1b1c12eddeb27e0caa274d18abbf439b36e5ae88ae24fae2
Instruction ID: 91aea034c1301f97d829472f743836d8d9e7d50fa4736d450f2c93b1cbace374
Opcode Fuzzy Hash: 98af6b585a7bfe9e1b1c12eddeb27e0caa274d18abbf439b36e5ae88ae24fae2
Instruction Fuzzy Hash: 3121A2666013189ADF206BB4ED4ABEA33ECCF01350FA007E6E521D30D2EF20CEC49A55

Uniqueness

Uniqueness Score: -1.00%

Function 00B29122 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B2ACD3: #10.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B2ACF5

#23.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B29160
#111.WSOCK32(00000000), ref: 00B2916F
#4.WSOCK32(00000000,?,00000010), ref: 00B2918B

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: fbefaf9498125187e3469ba997c8fcd665ce050b4ee84f8a64cd792b51c7d543
Instruction ID: a90c41d7c8bd00b4a37d54e7cfed8f81c2bf9a4e022b429c9cac3c4a8f00b113
Opcode Fuzzy Hash: fbefaf9498125187e3469ba997c8fcd665ce050b4ee84f8a64cd792b51c7d543
Instruction Fuzzy Hash: F821C031200211AFDB10AF28DD89B6E77E9EF48725F048599F91AEB3D2CA74EC018B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B289AD Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B289CE
GetForegroundWindow.USER32 ref: 00B289E5
GetDC.USER32(00000000), ref: 00B28A21
GetPixel.GDI32(00000000,?,00000003), ref: 00B28A2D
ReleaseDC.USER32 ref: 00B28A68

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: db1f27855478bde3d7879ea829563f9b5a1e58c9ddcde0c45e73b390620e6bbc
Instruction ID: 1f75b18c7aadd413b32affdd685f719274521bafb058661847a9cbdd81897c96
Opcode Fuzzy Hash: db1f27855478bde3d7879ea829563f9b5a1e58c9ddcde0c45e73b390620e6bbc
Instruction Fuzzy Hash: A8218175A00210AFDB10EFA5DD89BAA7BF5EF48301F0484B9E94AD7351CE70AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2E57 Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00AF2E81
CreateThread.KERNEL32 ref: 00AF2EC5
GetLastError.KERNEL32 ref: 00AF2ECF
_free.LIBCMT ref: 00AF2ED8
__dosmaperr.LIBCMT ref: 00AF2EE3

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 5da0b23ec749b7c197e59d1f7233bb9fcf7bff8b714161962a1bc0df58ab3184
Instruction ID: ec5054d3f6434c0b3965075c594194c6a4d585fc5d5faa2ace23ad1d69b3a4da
Opcode Fuzzy Hash: 5da0b23ec749b7c197e59d1f7233bb9fcf7bff8b714161962a1bc0df58ab3184
Instruction Fuzzy Hash: 53118E3210470EABA721AFE5DD41EBB7BA8EF447A0B210529FB1486191EB35881087A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B18355 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B18371
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B1837F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B18387
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00B18391
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B183CD

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: df307501396eff3d6768f6517cf9b6fd5e8a1e259204fd4371001868835c097e
Instruction ID: ac5c11a635d5a15581f56719730ef6f90525b8671d51fbd06a937df93182994a
Opcode Fuzzy Hash: df307501396eff3d6768f6517cf9b6fd5e8a1e259204fd4371001868835c097e
Instruction Fuzzy Hash: 87011B75D00A19DBCF10ABA4E948AEEBBB8FF08B01F440596E551B2150DF709A9087A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A857 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32 ref: 00B0A874
ProgIDFromCLSID.OLE32(?,00000000), ref: 00B0A88F
lstrcmpiW.KERNEL32(?,00000000), ref: 00B0A89D
CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00B0A8AD
CLSIDFromString.OLE32(?,?), ref: 00B0A8B9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9aa665b7bd4439e43254f8f7ae3e09cee00f43844aa6dd65158a9311bc9ad769
Instruction ID: d036746bcebfed1822b3a8e21a9253a2a4ed74e2342d7f7e61bf0c19e93af9be
Opcode Fuzzy Hash: 9aa665b7bd4439e43254f8f7ae3e09cee00f43844aa6dd65158a9311bc9ad769
Instruction Fuzzy Hash: 58014F76600314AFDB215F54DC88B9A7FEDEF44792F1489A4B901D3290DB70DD419BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EFCD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B178AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 00B178CB

CoInitialize.OLE32(00000000), ref: 00B1F04D
CoCreateInstance.OLE32(00B5DA7C,00000000,00000001,00B5D8EC,?), ref: 00B1F066
CoUninitialize.OLE32 ref: 00B1F083

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

Strings

.lnk, xrefs: 00B1F02B, 00B1F03D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 5c567564db028f4d47926121a3edad4e5389e5f37b684077f4725cf095366247
Instruction ID: 4ee5bdb8c319f787ab499519195e5e45a21576cc3f6a78953f1673e0e7956218
Opcode Fuzzy Hash: 5c567564db028f4d47926121a3edad4e5389e5f37b684077f4725cf095366247
Instruction Fuzzy Hash: CDA15975604302AFC710DF14C984D6ABBE5FF88724F148999F896AB361CB31ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B1503C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00B6DC40,?,0000000F,0000000C,00000016,00B6DC40,?), ref: 00B1507B

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

Part of subcall function 00ADB8A7: _memmove.LIBCMT ref: 00ADB8FB

CharUpperBuffW.USER32(?,?,00000000,?), ref: 00B150FB

Strings

THIS, xrefs: 00B15139
REMOVE, xrefs: 00B150AC

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper$__itow__swprintf_memmove
String ID: REMOVE$THIS
API String ID: 2528338962-776492005
Opcode ID: a8ff0ace7358ca7cdb4bbc12029e9726b761cd80c5e6a4eda0f73d45294efb53
Instruction ID: 10740fb7cbdc86a29c4959301b9ef03d058c04049a181c79df1e197e1088a032
Opcode Fuzzy Hash: a8ff0ace7358ca7cdb4bbc12029e9726b761cd80c5e6a4eda0f73d45294efb53
Instruction Fuzzy Hash: 8B41AD35A00609EFCB11DF64C981AEEB7F5FF88304F5480AAE816AB352DB309D91CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0CF7F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B0C9FE,?,?,00000034,00000800,?,00000034), ref: 00B14D6B

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B0CFC9

Part of subcall function 00B14D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B0CA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 00B14D36

Part of subcall function 00B14C65: GetWindowThreadProcessId.USER32(?,?), ref: 00B14C90
Part of subcall function 00B14C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B0C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00B14CA0
Part of subcall function 00B14C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B0C9C2,00000034,?,?,00001004,00000000,00000000), ref: 00B14CB6

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0D036
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B0D083

Strings

@, xrefs: 00B0D09B

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5c3151df43f494b5791510a3af445f1a0a0414f7c691a06ea51b9436d40bcc17
Instruction ID: a324eca25dd69f01f4d85b1ec3ef47a107d31c323caffa04bbe7408fb15a0b7c
Opcode Fuzzy Hash: 5c3151df43f494b5791510a3af445f1a0a0414f7c691a06ea51b9436d40bcc17
Instruction Fuzzy Hash: 5F414B72A00218AFDB10DFA4CC91FDEBBB8EF49700F148195EA45B7181DB706E85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A44D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B6DBF0,00000000,?,?,?,?), ref: 00B3A4E6
GetWindowLongW.USER32 ref: 00B3A503
SetWindowLongW.USER32 ref: 00B3A513

Strings

SysTreeView32, xrefs: 00B3A4B8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 66dace3fdb5d3acf5c8c373c7a83e33200da2199c07d4b25279f36028624fa74
Instruction ID: 1b8bbebc38b480df410c8889d66835d75c4f63a0393f535d962d6267240d2c0c
Opcode Fuzzy Hash: 66dace3fdb5d3acf5c8c373c7a83e33200da2199c07d4b25279f36028624fa74
Instruction Fuzzy Hash: 5A31AD32200206ABDB219E38CC45BEA7BA9EB49324F358765F8B5932E0D770E8519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A698 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B3A74F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B3A75D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B3A764

Strings

msctls_updown32, xrefs: 00B3A6C9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3a81362b25282fef0e6f01ae5331648ae5ed002883fb8dbb8621dab9d935da0b
Instruction ID: bc067f4bf3a12ca1cbc305ea81bdef87146914b2279bc7950e681d8082801e73
Opcode Fuzzy Hash: 3a81362b25282fef0e6f01ae5331648ae5ed002883fb8dbb8621dab9d935da0b
Instruction Fuzzy Hash: 42214CB5600209BFDB10DF68CDC1EA737EDEB4A7A4F240599FA019B261CB70EC11DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A217 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B3A27B
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B3A290
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B3A29D

Strings

msctls_trackbar32, xrefs: 00B3A252

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 6bedc500f255e9facc122599dd701980e194b53e810a682b69b69ad115a64bcf
Instruction ID: c7d1f2f858c60fb198d576263fca8091066fe3c18f8da26a2569ab42cf88667d
Opcode Fuzzy Hash: 6bedc500f255e9facc122599dd701980e194b53e810a682b69b69ad115a64bcf
Instruction Fuzzy Hash: A511E771200308BADB245F65CC46F973BA8EF89B54F214218FA55A70D0D672D852DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AF413E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__getstream.LIBCMT ref: 00AF418E

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

@_EH4_CallFilterFunc@8.LIBCMT ref: 00AF41C9
__wopenfile.LIBCMT ref: 00AF41D9

Strings

<G, xrefs: 00AF415D, 00AF4180, 00AF418C

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
String ID: <G
API String ID: 1820251861-2138716496
Opcode ID: 590a3ca58fbaa884516277bbda6e03b36d046e35adfa99b2efb708ea0398bf00
Instruction ID: 13de683c6facdd67d00b2e467852930c64c5e5e59417584282a7aefc74575260
Opcode Fuzzy Hash: 590a3ca58fbaa884516277bbda6e03b36d046e35adfa99b2efb708ea0398bf00
Instruction Fuzzy Hash: E811C67090020E9EEB10BFF48D426BF3BF4AF58790B148625BA15DB291EB74C99197A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC955 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00AEC948,SwapMouseButtons,00000004,?), ref: 00AEC979
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,00AEC948,SwapMouseButtons,00000004,?,?,?,?,00AEBF22), ref: 00AEC99A
RegCloseKey.ADVAPI32(00000000,?,?,00AEC948,SwapMouseButtons,00000004,?,?,?,?,00AEBF22), ref: 00AEC9BC

Strings

Control Panel\Mouse, xrefs: 00AEC977

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction ID: 485564f6dd774f7260532e8ef93315307d76a4832d3a9ad2f0d4029ca3a2d56d
Opcode Fuzzy Hash: f450379f75410a8a83fcbe0810a9e2ac0bc5a0d14f2c3e48c6d849935cd37bc3
Instruction Fuzzy Hash: ED117976611248BFDB218FA5DC44EAF7BB8EF04760F00456AA841E7211E631AE429B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2F5F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AF3028,?), ref: 00AF2F79
GetProcAddress.KERNEL32(00000000), ref: 00AF2F80

Strings

combase.dll, xrefs: 00AF2F74
RoInitialize, xrefs: 00AF2F68

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 2574300362-340411864
Opcode ID: b8364fdbbb83254775892911d96ef0655571b8a6428c2d5b17e5cf17060f5316
Instruction ID: 2e7f208251d2182e66ee28b18c3ab7216c7df0917efedcb97f16f57be4a361d5
Opcode Fuzzy Hash: b8364fdbbb83254775892911d96ef0655571b8a6428c2d5b17e5cf17060f5316
Instruction Fuzzy Hash: 43E01A706A4316AFEB206F70ED49B5536A4A704706F5001A6B602F70B0CFB54094DF04

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3034 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AF2F4E), ref: 00AF304E
GetProcAddress.KERNEL32(00000000), ref: 00AF3055

Strings

combase.dll, xrefs: 00AF3049
RoUninitialize, xrefs: 00AF303D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 2574300362-2819208100
Opcode ID: 1f0472e962bed8c54ba219b30f2c68d3a8ed88470408663855d725c30c67ea9c
Instruction ID: a1ae2a5c22b262e32e55cf1f4561d6658fe38fa6762abee5a607d4579e4c79f1
Opcode Fuzzy Hash: 1f0472e962bed8c54ba219b30f2c68d3a8ed88470408663855d725c30c67ea9c
Instruction Fuzzy Hash: BCE0EC70654314AFEB306F61EE0DB253AA4BB04703F10019AF609F30B0CFB54544CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2A7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18windowregistrytimeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00AD2A80
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AD2A8B
CreatePopupMenu.USER32 ref: 00AD2A9F

Strings

TaskbarCreated, xrefs: 00AD2A86

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateMenuMessagePopupRegisterTimerWindow
String ID: TaskbarCreated
API String ID: 2762092240-2362178303
Opcode ID: a00d9ec42419e461f4565f9441a42ae58bbcd2ebaa30996ecb17f3bfaa05abe4
Instruction ID: 707e64c7321eecf6eb517a2ce8a349b3ddf92de9e62a6e8f70bdd1f06ec8de82
Opcode Fuzzy Hash: a00d9ec42419e461f4565f9441a42ae58bbcd2ebaa30996ecb17f3bfaa05abe4
Instruction Fuzzy Hash: 4DE0E271A047039EC320AFA5AA4975537A5F728382B200AA7E41783224EF650042EBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00B320F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B320EC,?,00B322E0), ref: 00B32104
GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00B32116

Strings

kernel32.dll, xrefs: 00B320FF
GetProcessId, xrefs: 00B32110

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetProcessId$kernel32.dll
API String ID: 2574300362-399901964
Opcode ID: dc06ad4ac1163cc4743adb2790cc7c637788adbae60d83e66067757fd210a514
Instruction ID: 372b3629d73db5828e100f2ec5d0fd75373cd410fc6a68d004322b42e14aed58
Opcode Fuzzy Hash: dc06ad4ac1163cc4743adb2790cc7c637788adbae60d83e66067757fd210a514
Instruction Fuzzy Hash: BED05E34400B128BD7306B60E80974637D4AB04302F104499E649A2165DB70D480CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE6A6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AEE69C,000B7B3E,00AEE5AC,00B6DC28,?,?), ref: 00AEE6B4
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AEE6C6

Strings

kernel32.dll, xrefs: 00AEE6AF
GetNativeSystemInfo, xrefs: 00AEE6C0

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 59b0d2ff698e7ad45d754cbd36d0cf6a4cc688fe29d71b3ac9e631c2a7438a77
Instruction ID: cdaa7b32b66f87e363a5d6982ace4414f3c3f5dff3f7dc77c1dce7bfad1eb13d
Opcode Fuzzy Hash: 59b0d2ff698e7ad45d754cbd36d0cf6a4cc688fe29d71b3ac9e631c2a7438a77
Instruction Fuzzy Hash: 18D0A934800B128FD730AF32E80870236E8AB24303B0055AAE885E2270DBB0C880CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00AEE6E3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AEE6D9,?,00AEE55B,00B6DC28,?,?), ref: 00AEE6F1
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00AEE703

Strings

IsWow64Process, xrefs: 00AEE6FD
kernel32.dll, xrefs: 00AEE6EC

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: db08befb7332769e7b0b8b617e63dfbe0d6a45a6f74be22e0196e72b0eeb844c
Instruction ID: 6051a6e3b7176b2cd64885d286d902b1105e0efc266ac804e6932e5b2ad11ae3
Opcode Fuzzy Hash: db08befb7332769e7b0b8b617e63dfbe0d6a45a6f74be22e0196e72b0eeb844c
Instruction Fuzzy Hash: 07D0C974500B529FD730BF76E85D7477BE8BB04716B1055AAE895E3271DBB0C880CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B2EBB9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B2EBAF,?,00B2EAAC), ref: 00B2EBC7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B2EBD9

Strings

kernel32.dll, xrefs: 00B2EBC2
GetSystemWow64DirectoryW, xrefs: 00B2EBD3

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9d8b51957b666973bcf7d4bcb6c9b3d2f7fb52a9ae527fbba5280e57341a8281
Instruction ID: a451dd39c998c9525f981d6262429f36970d5f7410c2042bba4cc115f4169069
Opcode Fuzzy Hash: 9d8b51957b666973bcf7d4bcb6c9b3d2f7fb52a9ae527fbba5280e57341a8281
Instruction Fuzzy Hash: 1ED05E348047228BD7302F31A888B0136D4AB04306B548499F86AA2260DF70D880CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00B0A8C8 Relevance: 6.3, APIs: 4, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c666fe6e780b60b22ccf1b199f43bea9866a0c74e56771863c7ae4025e2c3b9d
Instruction ID: 323308d43d33646ad6362cbe291da648220e82cf52f592a13a3047a2fa83a381
Opcode Fuzzy Hash: c666fe6e780b60b22ccf1b199f43bea9866a0c74e56771863c7ae4025e2c3b9d
Instruction Fuzzy Hash: AEC14D75A00216EFCB14DF94C984EAEBBB5FF48700F1089D9E902AB291D770EE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ADAA70 Relevance: 6.3, APIs: 4, Instructions: 300COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00B26AA6), ref: 00ADAB2D
_wcscmp.LIBCMT ref: 00ADAB49

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcscmp
String ID:
API String ID: 820872866-0
Opcode ID: c0e5dde75827f58bc46cf9b8d5e02a5f4a72bc44a45a4529de52807adfa28eef
Instruction ID: 516f3cf76b529ec7cb9af075b6f2ecfbccda6d81e76c6f151ac0d99265931708
Opcode Fuzzy Hash: c0e5dde75827f58bc46cf9b8d5e02a5f4a72bc44a45a4529de52807adfa28eef
Instruction Fuzzy Hash: 5BA1F070B0010ADBDB14DF65EA816A9BBB1FF58310F64816BE857873A0EB309D71D782

Uniqueness

Uniqueness Score: -1.00%

Function 00B30D01 Relevance: 6.3, APIs: 4, Instructions: 300memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B30D85
CharLowerBuffW.USER32(?,?), ref: 00B30DC8

Part of subcall function 00B30458: CharLowerBuffW.USER32(?,?,?,?), ref: 00B30478

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B30FB2
_memmove.LIBCMT ref: 00B30FC2

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f21feec8869377a0f8b16642602b4292a4bb98ffe547dd48dc4ea98820c001e5
Instruction ID: 17abf279774e47b4b36b8103ac23490c482f6825f34ed75abcd33061aafbe1b3
Opcode Fuzzy Hash: f21feec8869377a0f8b16642602b4292a4bb98ffe547dd48dc4ea98820c001e5
Instruction Fuzzy Hash: 01B18F71A043018FC714DF28C59096AB7E4EF89754F2489AEF88ADB352DB31ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B2AF26 Relevance: 6.3, APIs: 4, Instructions: 268COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B2AF56
CoUninitialize.OLE32 ref: 00B2AF61

Part of subcall function 00B11050: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B110B8

#8.OLEAUT32(?), ref: 00B2AF6C
#9.WSOCK32(?), ref: 00B2B23F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: cabddd532fce91deb75f571f05d19dcb1283775bbbfb96214115170a993a3334
Instruction ID: 9614cf20b50ad096cd0a1f17a544f0ac45bef2e354c8e08ad57b94a67e9fd6ef
Opcode Fuzzy Hash: cabddd532fce91deb75f571f05d19dcb1283775bbbfb96214115170a993a3334
Instruction Fuzzy Hash: E3A113756047119FCB10DF14D991F2AB7E5BF88364F048599F99AAB3A2CB34ED40CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00ADC320 Relevance: 6.3, APIs: 4, Instructions: 259fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADC419
ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,00B16653,?,?,00000000), ref: 00ADC495

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: eab3ecde765cc5d3e59b625db08c5fb9b51a03d7933c080430a713e28fdf587d
Instruction ID: e66e0f7247b007a266ce1844daaf14cd818631962b95599befeed5b4ffb7fac1
Opcode Fuzzy Hash: eab3ecde765cc5d3e59b625db08c5fb9b51a03d7933c080430a713e28fdf587d
Instruction Fuzzy Hash: CCA1ED70A0461AEBDF00CF65C984BA9FBB0FF05310F54C296E8669B391D731EA60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF42EB Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF4347
_memcpy_s.LIBCMT ref: 00AF43B9
__filbuf.LIBCMT ref: 00AF443A
_memset.LIBCMT ref: 00AF447E

Part of subcall function 00AF889E: __getptd_noexit.LIBCMT ref: 00AF889E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit_memcpy_s
String ID:
API String ID: 3877424927-0
Opcode ID: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
Instruction ID: 9ef4c82505c3357614d6739c7a4e2b5d8c2476c2369c2d8ad204d31f6295abd5
Opcode Fuzzy Hash: e32231b6dc630e7bc50233d96a8fcff1e19409cefeea7d324ce0ed3258b5a775
Instruction Fuzzy Hash: 9251B330A0030DDBDB249FF989806BF77B5AF48361F248729FA75AA2D0D7709E519B40

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CC82 Relevance: 6.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

Part of subcall function 00AD41A7: _fseek.LIBCMT ref: 00AD41BF

Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF49
Part of subcall function 00B1CE59: _wcscmp.LIBCMT ref: 00B1CF5C

_free.LIBCMT ref: 00B1CDC9
_free.LIBCMT ref: 00B1CDD0
_free.LIBCMT ref: 00B1CE3B

Part of subcall function 00AF28CA: HeapFree.KERNEL32(00000000,00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28DE
Part of subcall function 00AF28CA: GetLastError.KERNEL32(00000000,?,00AF8715,00000000,00AF88A3,00AF4673,?), ref: 00AF28F0

_free.LIBCMT ref: 00B1CE43

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 15778ba72920791714c7c722a74a6e9f1af9b644d6dcfb0e587b8ea0fc370858
Instruction ID: bd1b91658868ae6670db94aa836bfa349f7a612c8327c0532fb2b7c4d15532cd
Opcode Fuzzy Hash: 15778ba72920791714c7c722a74a6e9f1af9b644d6dcfb0e587b8ea0fc370858
Instruction Fuzzy Hash: 6E514BB1904218AFDF149FA4DC81BAEBBB9EF48340F1040AEF659A3251D7715E808F69

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C2E7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00B3C354
ScreenToClient.USER32 ref: 00B3C384
MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 00B3C3EA

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 8c8d4074097763425d1974d776c8c50d976be1d576fa621ed6c49f4c6a181994
Instruction ID: a7ee8dcc27b13ea016e72a19860d196044cbc3b4d77a0a207a9f9dd594e2ec18
Opcode Fuzzy Hash: 8c8d4074097763425d1974d776c8c50d976be1d576fa621ed6c49f4c6a181994
Instruction Fuzzy Hash: 2C513D71900205EFCF20DFA8C990AAE7BF6FB45360F248599F925AB291D770AD41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B14342 Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B1439C
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B143B8
PostMessageW.USER32(00000000,00000102,?,00000001), ref: 00B14425
SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00B14483

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9fa75c43070931ca6fda50664ed981ad6d73f6c208be8e5e5c1e3c1b500fe398
Instruction ID: 1cb36436f89b6ab54bc38236f6c5df185b5459c6d4637a0957441aa2ad2362be
Opcode Fuzzy Hash: 9fa75c43070931ca6fda50664ed981ad6d73f6c208be8e5e5c1e3c1b500fe398
Instruction Fuzzy Hash: 9A4123B0A00248AAEF309B65A848BFDBBF5EB55711F8401DAF481933C1CB748EC59765

Uniqueness

Uniqueness Score: -1.00%

Function 00B1EE88 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B1EF32
GetLastError.KERNEL32(?,00000000), ref: 00B1EF58
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B1EF7D
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B1EFA9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d5a02912da09e4c2eb2dd16ec195bd82f57898cc91b7072ca709a938248b452d
Instruction ID: 5a629abf6e3fc65ba065a76af55e200b150a6a6c1a4dd36e8a4037fab30cb64d
Opcode Fuzzy Hash: d5a02912da09e4c2eb2dd16ec195bd82f57898cc91b7072ca709a938248b452d
Instruction Fuzzy Hash: 75414A39600611DFCB11EF15C644A49BBF6EF89320B198089EC5AAF362CB74FD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B14497 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,000B86B2,?,00008000), ref: 00B144EE
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B1450A
PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00B1456A
SendInput.USER32(00000001,?,0000001C,000B86B2,?,00008000), ref: 00B145C8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b45026d06f9a5e81933d137b7a6114dd039d18022c86abcf2433a357a8fa2da0
Instruction ID: c051475087486f217de372b7415186c798820cf4bdb00e78300efbdc9e618ea9
Opcode Fuzzy Hash: b45026d06f9a5e81933d137b7a6114dd039d18022c86abcf2433a357a8fa2da0
Instruction Fuzzy Hash: A3310671A002589FEF309B649818BFE7BE6DB66715F8402DAF081531C1DB748EC5D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B04DB4 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B04DE8
__isleadbyte_l.LIBCMT ref: 00B04E16
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B04E44
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00B04E7A

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 68ee3bde4f9eac4738f2e995a87f2670b3e768ed966e32063a43bf2cb421a6db
Instruction ID: f07cad0609edfd57283a9051d61d9ed09d5f61afcf7b1fafab6444c0a82c2254
Opcode Fuzzy Hash: 68ee3bde4f9eac4738f2e995a87f2670b3e768ed966e32063a43bf2cb421a6db
Instruction Fuzzy Hash: 0A31ACB1600206AFDF259E74C885BAA7FE6FF41350F1585A9EA21871E0E730EC91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EFA8 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AEAF7D: GetWindowLongW.USER32(?,000000EB), ref: 00AEAF8E

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00B4F3C3,?,?,?,?,?), ref: 00B3EFE2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B4F3C3,?,?,?,?,?), ref: 00B3EFF7
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00B4F3C3,?,?,?,?,?), ref: 00B3F041
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B4F3C3,?,?,?), ref: 00B3F077

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ab5d11baea6d91efdd9a927952f0b63fb4b21bd925a72f74723ef5b8d9f47974
Instruction ID: 79e63bdf5f83f022c15648f7eadb8971e875571f45d8adfc2ddc777cdea42679
Opcode Fuzzy Hash: ab5d11baea6d91efdd9a927952f0b63fb4b21bd925a72f74723ef5b8d9f47974
Instruction Fuzzy Hash: E021E135900118BFCB298FA8C898EFA7BF5EB49710F1440A9F905472A2C7319D51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2497B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B249B7

Part of subcall function 00B24A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B24A60
Part of subcall function 00B24A41: InternetCloseHandle.WININET(00000000), ref: 00B24AFD

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: bb755e60cb813db275015fbcaa8a99d7d6339e5fc11be228e81e3ecead8cf6fa
Instruction ID: 4eeea9e3584f4a0974f4bec11dd5d1d3b50016226af045e7cd6f0411f4db8c58
Opcode Fuzzy Hash: bb755e60cb813db275015fbcaa8a99d7d6339e5fc11be228e81e3ecead8cf6fa
Instruction Fuzzy Hash: FF21D431240B15BFDB229F60AC00FBBBBE9FB49701F10415AFA0997950EB719811A794

Uniqueness

Uniqueness Score: -1.00%

Function 00B2900C Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

#18.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00B2906D
#151.WSOCK32(00000000,00000001), ref: 00B2907F
#1.WSOCK32(00000000,00000000,00000000), ref: 00B2908C
#111.WSOCK32(00000000), ref: 00B290A3

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: #111#151
String ID:
API String ID: 728308991-0
Opcode ID: 19573f587ed6a4ca676f4a8c02984ee5609b71a15b5d35ee9d13480260b4a5d0
Instruction ID: 78e278fbd7cb02fdd7a0905555998f5803cc7ed7d2f74b58e5436de79ad30040
Opcode Fuzzy Hash: 19573f587ed6a4ca676f4a8c02984ee5609b71a15b5d35ee9d13480260b4a5d0
Instruction Fuzzy Hash: 202154719002249FC720DF69DD85ADABBFCEF49710F1081AAF849D7291DA749E41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B38834 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B388A3
SetWindowLongW.USER32 ref: 00B388BD
SetWindowLongW.USER32 ref: 00B388CB
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B388D9

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 2d62322d1e1a36f544e3985e36a3e27d8d6f4f52da7a20bde51a9914cf4a4af9
Instruction ID: aa1ca36e4957b764614c23be2044d40fe3ecf68a108b6e9f15fa4493a8ca2c90
Opcode Fuzzy Hash: 2d62322d1e1a36f544e3985e36a3e27d8d6f4f52da7a20bde51a9914cf4a4af9
Instruction Fuzzy Hash: 97118E31245214AFDB14AB28CC55FAA7BEAEF85321F144259F816C73E2CB74AD40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B1713C Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B1715C
_memset.LIBCMT ref: 00B1717D
DeviceIoControl.KERNEL32 ref: 00B171CF
CloseHandle.KERNEL32(00000000), ref: 00B171D8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 0345ceb4c1bb6e2e25bdefa9dd4d3e39e6a5a0e914b216a79f71c261ff247341
Instruction ID: df855e11c64946ea240781e627485aa2b667e657bdd55c532f0b10544d36c2f8
Opcode Fuzzy Hash: 0345ceb4c1bb6e2e25bdefa9dd4d3e39e6a5a0e914b216a79f71c261ff247341
Instruction Fuzzy Hash: 3D11CA759413287AD7309BA5AC4DFEBBABCEF45760F1042DAF504E71D0D6744E808BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B292C0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 00AEF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,00B1AEA5,?,?,00000000,00000008), ref: 00AEF282
Part of subcall function 00AEF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00B1AEA5,?,?,00000000,00000008), ref: 00AEF2A6

#52.WSOCK32(?,?,?), ref: 00B292F0
#111.WSOCK32(00000000), ref: 00B292FB
_memmove.LIBCMT ref: 00B29328
#11.WSOCK32(?), ref: 00B29333

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$#111_memmove
String ID:
API String ID: 70051993-0
Opcode ID: 7a4cddad6793ab3de9856d20ee3d24aba1d61dc982908bef66287e7fec58de3d
Instruction ID: e393a3bd8ac2c6a48403306f7b705d067f07c6687bf1390e3fe644bd131e4177
Opcode Fuzzy Hash: 7a4cddad6793ab3de9856d20ee3d24aba1d61dc982908bef66287e7fec58de3d
Instruction Fuzzy Hash: FF116075900109AFCB04FBA0DE56DEE77B9EF18311B1440A6F50AA72A1DF30EE04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C265 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B0C285
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C297
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C2AD
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0C2C8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f3fc47b0c9a0dcf74d13020d8e9d9fac1b522d08a2dfa9053d3b1da10569b739
Instruction ID: 63ee7517c7282ad42533016c7412bf511e136cc2b385b7650dfa9f7ebd7d5e60
Opcode Fuzzy Hash: f3fc47b0c9a0dcf74d13020d8e9d9fac1b522d08a2dfa9053d3b1da10569b739
Instruction Fuzzy Hash: 8011157A940218FFEB11DBE8C885E9DBBB8FB48710F204191EA05B7294D771AE11DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AEC619 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AEC657
GetStockObject.GDI32(00000011), ref: 00AEC66B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AEC675

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 076cb4dc6fe957adbd1d644168b925812dfcbc562490be6ad99663b68771cf58
Instruction ID: b23c59047f1938bf8f7d4dd46623b77b3f64eb7f6cd19c48de9daca8b17d9c5a
Opcode Fuzzy Hash: 076cb4dc6fe957adbd1d644168b925812dfcbc562490be6ad99663b68771cf58
Instruction Fuzzy Hash: 8211C072501689BFDF124FA5CC51EEBBB69FF09364F051211FA0496120DB32DC61EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2A4B Relevance: 6.1, APIs: 4, Instructions: 52timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001), ref: 00AD2A5D

Part of subcall function 00AD2B94: _memset.LIBCMT ref: 00AD2BC0
Part of subcall function 00AD2B94: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AD2BF0

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: IconKillNotifyShell_Timer_memset
String ID:
API String ID: 4009928425-0
Opcode ID: 38f90d2d5b75fa59af3ed90ec90289a723bf1ed65cab4490d5314bc4ab4de23d
Instruction ID: e70d684e712a9dea53644bd91bbf7e370e9b61e9c8e8b2b11af8e61677f25cb8
Opcode Fuzzy Hash: 38f90d2d5b75fa59af3ed90ec90289a723bf1ed65cab4490d5314bc4ab4de23d
Instruction Fuzzy Hash: 28012832204146ABC7315F64AE09BBA3B75F774341F000297F503D31B1CEA11910F365

Uniqueness

Uniqueness Score: -1.00%

Function 00B149D1 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B149EE
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A13
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A1D
Sleep.KERNEL32(?,?,?,?,?,?,?,00B1354D,?,00B145D5,?,00008000), ref: 00B14A50

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 527ed108370919d3cf6053bd7037ca8e63ccd45555cb618e669928362ecb7d01
Instruction ID: d34fbbf1cc21ef31aa0539cea61174abe0679c06b272572a02c0d4ab4ba77b3a
Opcode Fuzzy Hash: 527ed108370919d3cf6053bd7037ca8e63ccd45555cb618e669928362ecb7d01
Instruction Fuzzy Hash: CB114831D40618DBCF00AFA5EA88AEEBBB8FF09701F464195E941B6140CB309590CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00AF80E2 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 00AF869D: __getptd_noexit.LIBCMT ref: 00AF869E

__lock.LIBCMT ref: 00AF811F
InterlockedDecrement.KERNEL32(?), ref: 00AF813C
_free.LIBCMT ref: 00AF814F
InterlockedIncrement.KERNEL32(00B8A690), ref: 00AF8167

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: dc0157dd0591ffa1d676f9c63d5973886a83a85948041a0cb37c7dac0d67a9d6
Instruction ID: 97278e44369ca98751759d900c785a190d870c4f9c7b2c3008839f7f188fa99c
Opcode Fuzzy Hash: dc0157dd0591ffa1d676f9c63d5973886a83a85948041a0cb37c7dac0d67a9d6
Instruction Fuzzy Hash: AE0184319016199BDB11AFE4994677D7370BF05711F040355F614672A1CF3C5842CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00AF8724 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00AF8768

Part of subcall function 00AF8984: __mtinitlocknum.LIBCMT ref: 00AF8996
Part of subcall function 00AF8984: EnterCriticalSection.KERNEL32(00AF0127,?,00AF876D,0000000D), ref: 00AF89AF

InterlockedIncrement.KERNEL32(DC840F00), ref: 00AF8775
__lock.LIBCMT ref: 00AF8789
___addlocaleref.LIBCMT ref: 00AF87A7

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: 14a70925ff1a1847761f0cb9a3624a1e5d21a6f0d926ec1f509594efb59a3ebb
Instruction ID: 23b68a076414ee18a73a5ede36ee7ff491c2dfee50bb541120698fd79ff022e8
Opcode Fuzzy Hash: 14a70925ff1a1847761f0cb9a3624a1e5d21a6f0d926ec1f509594efb59a3ebb
Instruction Fuzzy Hash: 00016D72410B049FE720EFA5C945769B7F0EF40325F20894EF599972A0DFB4A640CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E13E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3E14D
_memset.LIBCMT ref: 00B3E15C
CreateProcessW.KERNEL32 ref: 00B3E18B
CloseHandle.KERNEL32 ref: 00B3E19D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 105d132f25d28ca63863eae550cfa01085f9662867ea6db653ab27aae05c55eb
Instruction ID: 86d453b8a909a94f11ce73ddf86cc2241a9b1bf599b970fa319b97bdfccc759d
Opcode Fuzzy Hash: 105d132f25d28ca63863eae550cfa01085f9662867ea6db653ab27aae05c55eb
Instruction Fuzzy Hash: DEF05EF2940305BEE6205B65AD46F777AECDB09B95F004462FA04E61A2DBB69E0086B4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E83C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AEB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00AEB5EB
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB5FA
Part of subcall function 00AEB58B: BeginPath.GDI32(?), ref: 00AEB611
Part of subcall function 00AEB58B: SelectObject.GDI32(?,00000000), ref: 00AEB63B

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3E860
LineTo.GDI32(00000000,?,?), ref: 00B3E86D
EndPath.GDI32(00000000), ref: 00B3E87D
StrokePath.GDI32(00000000), ref: 00B3E88B

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 6cd40fa5eb4bfa772a4d1880d113526fc7e672962978958f4f5298b57a782657
Instruction ID: 1e44389958b41fea30cb7ce7dd4260a5a7ba8d1c8fd8349d2af39fa112bc2a0c
Opcode Fuzzy Hash: 6cd40fa5eb4bfa772a4d1880d113526fc7e672962978958f4f5298b57a782657
Instruction Fuzzy Hash: D9F0823100135ABBDB226F54AD0DFCE3F99AF06312F148282FA21620E18B759551DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00AEB0AC Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00AEB0C5
SetTextColor.GDI32(?,000000FF), ref: 00AEB0CF
SetBkMode.GDI32(?,00000001), ref: 00AEB0E4
GetStockObject.GDI32(00000005), ref: 00AEB0EC
GetWindowDC.USER32(?,00000000), ref: 00B4ECFA
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B4ED07
GetPixel.GDI32(00000000,?,00000000), ref: 00B4ED20
GetPixel.GDI32(00000000,00000000,?), ref: 00B4ED39
GetPixel.GDI32(00000000,?,?), ref: 00B4ED59
ReleaseDC.USER32 ref: 00B4ED64

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1de108c9b61a6603756d6ec0240279364ab436605af7392e915a1ea9f38684a1
Instruction ID: 6eb4962b9d46c02da225e58d78cb27436eba7c86ef81e722ea33448332f5ca23
Opcode Fuzzy Hash: 1de108c9b61a6603756d6ec0240279364ab436605af7392e915a1ea9f38684a1
Instruction Fuzzy Hash: 49E0ED31500740AEEB325F75BC4D7993B61EB55336F1483A6F679A90E2CB718680DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C0A0 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B4C0A0
GetDC.USER32(00000000), ref: 00B4C0AA
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B4C0C9
ReleaseDC.USER32 ref: 00B4C0E8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d36ba4463e35eb44c13fdd42e0dc3d3c9f738d0dc7607e68c4d1d156ee55ce9d
Instruction ID: 290c604f8409630a1847015de4124ac0b5905263e8dd24e6105d21329b0e6cfe
Opcode Fuzzy Hash: d36ba4463e35eb44c13fdd42e0dc3d3c9f738d0dc7607e68c4d1d156ee55ce9d
Instruction Fuzzy Hash: 6BE01AB1500300EFDB115F7088487693BE9EB48362F118945F84AC7251DEB499819B10

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C066 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B0C071
UnloadUserProfile.USERENV(?,?), ref: 00B0C07D
CloseHandle.KERNEL32(?), ref: 00B0C086
CloseHandle.KERNEL32(?), ref: 00B0C08E

Part of subcall function 00B0B850: GetProcessHeap.KERNEL32(00000000,?,00B0B574), ref: 00B0B857
Part of subcall function 00B0B850: HeapFree.KERNEL32(00000000), ref: 00B0B85E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f78e29f1c4dd4c346f31cd0336556b1569c01e5c9a2bbcf9a2f9cf0624018d14
Instruction ID: cbea2555954b8d1f469e0931a928f476e492a03e328c8d87b687842a6730393b
Opcode Fuzzy Hash: f78e29f1c4dd4c346f31cd0336556b1569c01e5c9a2bbcf9a2f9cf0624018d14
Instruction Fuzzy Hash: 89E0BF36114606BBCB112F95DD08959FF66FF493223108365F61592570CF326871EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B4C0B4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B4C0B4
GetDC.USER32(00000000), ref: 00B4C0BE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B4C0C9
ReleaseDC.USER32 ref: 00B4C0E8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 04bcf4c7aed88a57349bf5b54884fae26bae114890e3867c47efccdc634306a6
Instruction ID: 424e729b3cec0a92204240f91d2cbd8efd27b40e43b1c8eb6bafad11b12a8dd1
Opcode Fuzzy Hash: 04bcf4c7aed88a57349bf5b54884fae26bae114890e3867c47efccdc634306a6
Instruction Fuzzy Hash: EAE046B1500300EFDB11AF70CC487693BE9EB4C362F118945F94ACB250DFB899828B10

Uniqueness

Uniqueness Score: -1.00%

Function 00AF4C3D Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00AF4C3E

Part of subcall function 00AF86B5: GetLastError.KERNEL32(?,00AF0127,00AF88A3,00AF4673,?,?,00AF0127,?,00AD125D,00000058,?,?), ref: 00AF86B7
Part of subcall function 00AF86B5: __calloc_crt.LIBCMT ref: 00AF86D8
Part of subcall function 00AF86B5: GetCurrentThreadId.KERNEL32 ref: 00AF8701
Part of subcall function 00AF86B5: SetLastError.KERNEL32(00000000,00AF0127,00AF88A3,00AF4673,?,?,00AF0127,?,00AD125D,00000058,?,?), ref: 00AF8719

CloseHandle.KERNEL32(?,?,00AF4C1D), ref: 00AF4C52
__freeptd.LIBCMT ref: 00AF4C59
ExitThread.KERNEL32 ref: 00AF4C61

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 408300095-0
Opcode ID: b99af10a15dc014708f2c3054e174120e735a22dd54fc29d137c22d9f74a6e37
Instruction ID: c922d7c7e55f4c1d6cce86db0fb235d892122bd26909f3956c2da792a883c02f
Opcode Fuzzy Hash: b99af10a15dc014708f2c3054e174120e735a22dd54fc29d137c22d9f74a6e37
Instruction Fuzzy Hash: E4D0A731402F554BC13137A08E0D72E32505F01B27B014304F235970E19F244C024695

Uniqueness

Uniqueness Score: -1.00%

Function 00B52350 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 475COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD67D0

Strings

DEFINE, xrefs: 00B5265C
>, xrefs: 00B52414

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _memmove
String ID: >$DEFINE
API String ID: 4104443479-1664449232
Opcode ID: a4584aff9c1ec569e39c1a085bd61abd91c70376be7375eef85843009bf93ddb
Instruction ID: 1c6e76ec6ccf67bacc264404cfdd30fcbea23db52762f6d19175d5262496dc50
Opcode Fuzzy Hash: a4584aff9c1ec569e39c1a085bd61abd91c70376be7375eef85843009bf93ddb
Instruction Fuzzy Hash: 4C125A75A0120ADFCF24CF58C490AADB7F1FF59311F15819AE856AB391E730AD85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0EAD5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B0ECA0

Strings

AutoIt3GUI, xrefs: 00B0EC18
Container, xrefs: 00B0EC1F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d8cb978c8effdf3f9b74ad3dbc532d03213b4ae8552a4c5b4564f32cc4612ca0
Instruction ID: 299c0397bdf1cde8fbea92bb159dc68f8879d8539582b902cc0a4fea360b4b36
Opcode Fuzzy Hash: d8cb978c8effdf3f9b74ad3dbc532d03213b4ae8552a4c5b4564f32cc4612ca0
Instruction Fuzzy Hash: 0D912874600701AFDB24DF64C884B6ABBE5FF49710F1489ADF95ACB291EB71E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1E704 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD3BCF: _wcscpy.LIBCMT ref: 00AD3BF2

Part of subcall function 00AD84A6: __swprintf.LIBCMT ref: 00AD84E5
Part of subcall function 00AD84A6: __itow.LIBCMT ref: 00AD8519

__wcsnicmp.LIBCMT ref: 00B1E785
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B1E84E

Strings

LPT, xrefs: 00B1E77F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 5020109a7b78f85ab8520b1f10d6d25a31b521ae7e3d18624ae3b0547d86f5ef
Instruction ID: 42f067722ca85697813c570b9ce5b06a8dbedccf4d0a93e866dea9bca9c1395c
Opcode Fuzzy Hash: 5020109a7b78f85ab8520b1f10d6d25a31b521ae7e3d18624ae3b0547d86f5ef
Instruction Fuzzy Hash: 7D617E75A00215AFDB14DB94C995EEEB7F4EF48310F4440AAF956AB391DB70EE80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1CE59 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00AD417D: __fread_nolock.LIBCMT ref: 00AD419B

_wcscmp.LIBCMT ref: 00B1CF49
_wcscmp.LIBCMT ref: 00B1CF5C

Strings

FILE, xrefs: 00B1CE91

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5e58c6afc482ce73913019140ba8adbf1668d2dc6b96ec72fb63e13cca360c7e
Instruction ID: b88f474d0cbb61eaae9a9c763d1e74be3403b5485846b59d4bbe0ee005585fd4
Opcode Fuzzy Hash: 5e58c6afc482ce73913019140ba8adbf1668d2dc6b96ec72fb63e13cca360c7e
Instruction Fuzzy Hash: 5241B332A40219BBDF10DBA4CC82FEF7BBADF49714F4005AAF601A7191D7719A89C750

Uniqueness

Uniqueness Score: -1.00%

Function 00B3A578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B3A668
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B3A67D

Strings

', xrefs: 00B3A5D1

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1f6447c54dec4d06874b92bb7662dd8cc213b908f47d5dc2d0b25ad3b7623a3d
Instruction ID: 8fd03658ddb052c900ba633fba5aaa572f66f41303f4b1542f5937933a1e10d8
Opcode Fuzzy Hash: 1f6447c54dec4d06874b92bb7662dd8cc213b908f47d5dc2d0b25ad3b7623a3d
Instruction Fuzzy Hash: 8F411575A0020A9FDF14CF68C981BDA7BF5FB09300F2545AAE945EB381D770A941DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B26B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B26BDD

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

Strings

, $, xrefs: 00B26C1D
AUTOITCALLVARIABLE%d, xrefs: 00B26BCF

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 5ecc00c7d6c11026a168b2e07d839a99c1bcb8b5634fb65bbc1a0f68e89ba429
Instruction ID: ecd3d9acc1f44701d44ad55925c332b192ca0c69a7a867dc9f2cb38e5e7d032d
Opcode Fuzzy Hash: 5ecc00c7d6c11026a168b2e07d839a99c1bcb8b5634fb65bbc1a0f68e89ba429
Instruction Fuzzy Hash: FD214F35600229AACF14FFA4D992EAD77F5EF44B00F404495F54AB7291DB70EA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B391DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B39269
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B39274

Strings

Combobox, xrefs: 00B39236

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 83d0c9308d18f07dc3b28eb622cccd3ec6c4793d88e5f2a0fbc2f099e0d29995
Instruction ID: ccaa36c647c8bc6c4f5ea024a36bb7bca89265d97b62e7acf4f94ac1a8fe544d
Opcode Fuzzy Hash: 83d0c9308d18f07dc3b28eb622cccd3ec6c4793d88e5f2a0fbc2f099e0d29995
Instruction Fuzzy Hash: 2911C871300609BFEF11DF54DC81EBB37DAEB893A4F204165F91897290D671EC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B2ACD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

#10.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 00B2ACF5
#9.WSOCK32(00000000,?,00000000), ref: 00B2AD32

Strings

255.255.255.255, xrefs: 00B2AD0D

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID:
String ID: 255.255.255.255
API String ID: 0-2422070025
Opcode ID: 25ef601a634687e1a4a8394f93cc04418c0e7a4aa09b56e9d764bda5c4fa6f06
Instruction ID: c66de1fed32d841683101806bff1037f7f9c48351c3ab17fbd43bdba3e4b7c25
Opcode Fuzzy Hash: 25ef601a634687e1a4a8394f93cc04418c0e7a4aa09b56e9d764bda5c4fa6f06
Instruction Fuzzy Hash: E601F935200315ABCB10AFA4D885FEDB3E4FF08751F1085AAF5199B2D1DB71E804C756

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C577 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B0C5E5

Strings

ComboBox, xrefs: 00B0C581
ListBox, xrefs: 00B0C5AF

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 4b4632cd18ad089466485754349f3824a6a4d039e056968382feeea5c6cc724d
Instruction ID: 5ec787c878cabac928aa4a85404bd9b54956e78ca192a0e0d49501bd9b44eff2
Opcode Fuzzy Hash: 4b4632cd18ad089466485754349f3824a6a4d039e056968382feeea5c6cc724d
Instruction Fuzzy Hash: F401B575611118ABCB08EBA4CD529FE7BEAAF523507140B5AF833E72E1DB30A909D750

Uniqueness

Uniqueness Score: -1.00%

Function 00B1C4D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B1C4EF
__fread_nolock.LIBCMT ref: 00B1C504

Strings

EA06, xrefs: 00B1C532

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 637d43889a164c865b67cdc62044b6816b8bfbffa3d91bbe771403b1bf015e71
Instruction ID: 378be5b5ba50236d80f32e7b2c45d4010ca2e4103f9ab4ecf0461c8a801e6e1f
Opcode Fuzzy Hash: 637d43889a164c865b67cdc62044b6816b8bfbffa3d91bbe771403b1bf015e71
Instruction Fuzzy Hash: 4F01B572944258AEDB28DBA8C856EFE7BF89B15711F00419AF193D6181E5B4A708CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C473 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B0C4E1

Strings

ComboBox, xrefs: 00B0C47D
ListBox, xrefs: 00B0C4AB

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: 9156e2e6d322fa4bc9c1f18d17b9e0c3b693eecfbf24cddf2ca011353ca204c0
Instruction ID: ac88da74fd343890d1f944c930b360bb5a517830cc441ddd0567f1d8f165f135
Opcode Fuzzy Hash: 9156e2e6d322fa4bc9c1f18d17b9e0c3b693eecfbf24cddf2ca011353ca204c0
Instruction Fuzzy Hash: BF01D4716411086BC704EBA0CA62AFF3BED9F01740F140156E503E32E1DB109E09D761

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C4F6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADCAEE: _memmove.LIBCMT ref: 00ADCB2F

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B0C562

Strings

ComboBox, xrefs: 00B0C500
ListBox, xrefs: 00B0C52E

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: MessageSend_memmove
String ID: ComboBox$ListBox
API String ID: 1456604079-1403004172
Opcode ID: a25514ebe666cb963d6e05ff5a43d01d301fec57beaf6d0393a6322da5e2ae06
Instruction ID: 2bb1a1d4bb62bfce01f486390429bef8fa65647dbb68895997707362c4a2361a
Opcode Fuzzy Hash: a25514ebe666cb963d6e05ff5a43d01d301fec57beaf6d0393a6322da5e2ae06
Instruction Fuzzy Hash: C301DF75A001086BCB04EBA4CE53AFF3BED9B11741B140256B503E32E1DA209E099661

Uniqueness

Uniqueness Score: -1.00%

Function 00B1804C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00B1806A
_wcscmp.LIBCMT ref: 00B1807C

Strings

#32770, xrefs: 00B18076

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 7b13e0f1b3bc28febf4b526bd7bb4af596d79060f0a8c9b4e6754b768a4c1d2d
Instruction ID: 6d633a2145aed26a93f409d1e6ddf1b19b77739cadad466a05fae436eb9ed69d
Opcode Fuzzy Hash: 7b13e0f1b3bc28febf4b526bd7bb4af596d79060f0a8c9b4e6754b768a4c1d2d
Instruction Fuzzy Hash: 9EE0D13350032927D720EA959C49FD7FBECFB51B64F000056F514D3151EA709645C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00B1D009 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B1D01E
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B1D035

Strings

aut, xrefs: 00B1D02F

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: efec365556794e1e56770ac21e82bbca5cdd6c29630c9fded907563397dfa864
Instruction ID: d1dd749c7bbe4f77cd1b15bf3a14c41c32f6f15a2cb7b8e8f5897cd14a8f5338
Opcode Fuzzy Hash: efec365556794e1e56770ac21e82bbca5cdd6c29630c9fded907563397dfa864
Instruction Fuzzy Hash: C8D05EB154030EBBDB20ABA0ED0EF99B7ACA700B05F1042D0B615D20E1D6B0D6458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B38495 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B3849F
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B384B2

Part of subcall function 00B18355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B183CD

Strings

Shell_TrayWnd, xrefs: 00B38498

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5117178ad08e3e975ac9a60525be732f31498cb28fa0c266199f6055c4af0f1d
Instruction ID: 97225976d205dcdb4273dc6a69d805ec0b0174cf334e8d3f8ed4cd55a110c0de
Opcode Fuzzy Hash: 5117178ad08e3e975ac9a60525be732f31498cb28fa0c266199f6055c4af0f1d
Instruction Fuzzy Hash: 34D0C77134431477D67467709C4BFD66994AB14F11F0409957259961D0CDE0A840C654

Uniqueness

Uniqueness Score: -1.00%

Function 00B384C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B384DF
PostMessageW.USER32(00000000), ref: 00B384E6

Part of subcall function 00B18355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00B183CD

Strings

Shell_TrayWnd, xrefs: 00B384D8

Memory Dump Source

Source File: 00000001.00000002.525857131.0000000000AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true

Associated: 00000001.00000002.525833749.0000000000AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B5D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526322226.0000000000B7E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526406003.0000000000B8F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.526430312.0000000000B94000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ad0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 236011c2ddf3a40bc06f003e61323c9606e5fe12824fe48c32a4542622defb80
Instruction ID: c59fa17aa4d9cdc4d3becb6962d0e6c8579a5378cea6012aa6df0734551f5804
Opcode Fuzzy Hash: 236011c2ddf3a40bc06f003e61323c9606e5fe12824fe48c32a4542622defb80
Instruction Fuzzy Hash: 01D0C77138431477E67567709C4BFC66594AB19F11F0409957255961D0CDE0B840C654

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\zmWLVbyRgm\cfg

C:\ProgramData\zmWLVbyRgm\cfgi

C:\ProgramData\zmWLVbyRgm\lsas.exe

C:\Users\user\AppData\Local\Temp\autF235.tmp

C:\Users\user\AppData\Roaming\blsncxvoxmotpljzrxtwkmpap5606009.png

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe

Function 00ADE1F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 815
windowsleeptimeCOMMON

Function 00B06A28 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626
fileCOMMONLIBRARYCODE

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre